It’s often said that necessity breeds creativity, and during a global pandemic such words have proved truer than ever. Realising the common doorbell could be a potential surface transmission point for coronavirus, [CasperHuang] whipped up a quick build.
The build eschews the typical pushbutton we’re all familiar with. Instead, it relies on an ultrasonic distance sensor to detect a hand (or foot) waved in front of the door. An Arduino Leonardo runs the show, sounding a buzzer when the ultrasonic sensor is triggered. In order to avoid modifying the apartment door, the build is housed in a pair of cardboard boxes, taped to the base of the door, with wires passing underneath.
It’s a tidy way to handle contactless deliveries. We imagine little touches like this may become far more common in future design, as the world learns lessons from the COVID-19 pandemic. Every little bit helps, after all. Video after the break.
As the world settles into this pandemic, some things are still difficult to mentally reckon, such as the day of the week. We featured a printed day clock a few months ago that used a large pointer to provide this basic psyche-grounding information. In the years since then, [Jeff Thieleke] whipped up a feature-rich remix that adds indoor air quality readings and a lot more.
Like [phreakmonkey]’s original day tripper, an ESP32 takes care of figuring out what day it is and moves a 9 g servo accordingly. [Jeff] wanted a little more visual action, so the pointer moves a tad bit every hour. A temperature/humidity sensor and a separate CO₂ sensor output their readings to an LCD screen mounted under the pointer. Since [Jeff] is keeping this across the basement workshop from the bench, the data is also available from a web server running on the ESP32 via XML and JSON, and the day clock can get OTA updates.
Thanks to low-cost WiFi enabled microcontrollers such as the ESP8266 and ESP32, it’s never been a better time to roll your own smart home system. But that doesn’t mean it isn’t daunting for new players. If you’re looking for an easy first project, putting your old school doorbell on the Internet of Things is a great start, but even here there’s some debate about how to proceed.
His solution only requires an inductive current sensor, which can be had for less than $1 from the usual overseas suppliers. One leg of the doorbell circuit is passed through the center of this sensor, and the sensor itself is connected up to your microcontroller of choice (here, and ESP32). The rest is software, which [AnotherMaker] explains in the video after the break. With the addition of a little debounce code, your microcontroller can reliably determine when somebody is out there jabbing the bell button; what you do with this information after that is up to you.
While we’re still far away from returning to a pre-Corona everyday life, people seem to have accepted that toilet paper will neither magically cease to exist, nor become our new global currency. But back at the height of its madness, like most of us, [Jelle Vermandere] found himself in front of empty shelves, and the solution seemed obvious to him: creating a lifelike toilet paper chasing game in hopes to distract the competition.
Using Unity, [Jelle] created a game world of an empty supermarket, with the goal to chase after distribution tubes and collect toilet paper packs into a virtual cart. Inspired by the Wii Wheel, he imitated a shopping cart handle built from — as it appears — a sunshade pole that holds an Arduino and accelerometer in a 3D-printed case as game controller. For an even more realistic feel, he added a sound sensor to the controller, and competing carts to the game, which can be pushed out of the way by simply yelling loud enough. You can witness all of this delightful absurdity in his build video after the break.
From racing shopping carts to racing bicycles
But that’s not all. With the toilet paper situation sorted out, [Jelle] found himself in a different dilemma: a cloud foiled his plans of going for a bicycle ride. In the same manner, he ended up building a cycling racing game, once again with Unity and Arduino. From a 3D-scanned model of himself and his bicycle, to automatically generating tracks on the fly and teaching an AI to ride a bike, [Jelle] clearly doesn’t joke around while he’s joking around.
However, the best part about the game has to be the controller, which is his actual bicycle. Using a magnetic door sensor to detect the speed, and a potentiometer mounted with an obscure Lego construction to the handlebar, it’s at least on par with the shopping cart handle — but judge for yourself in another build video, also attached after the break. The only thing missing now is to level up the difficulty by powering the Arduino with the bicycle itself.
Watch any movie about the years of prohibition, and you’ll probably see character gain admittance to a speakeasy by using a secret knock on the door. In the old movies, a little sliding door would open so the doorman could check you out and let you in. With [IsmailSan’s] electronic lock, the secret knock automatically unlocks the door. You can see a video of how it works, below.
(Ed Note: Grrr…GitHub repo got pulled between writing and publication. Go check out the in-links in the bottom paragraph if you’re interested in knock-detectors.)
The device uses a piezoelectric speaker to detect the knocking. A speaker is a transducer and like many transducers, it will work — to some extent — in either direction. A servo motor manages the deadbolt. An Arduino runs the whole thing.
[Madalin Valceleanu] had a somewhat unique problem. He wanted to make his front door a bit “smarter”, but none of the IoT door locks he found were compatible with the style of reinforced door he had. So he set out to design and 3D print his own Internet-controlled door handle.
Now we say handle and not lock because the internal mechanisms haven’t actually been replaced. Those aren’t exactly the kind of parts that lend themselves to being recreated in PLA, after all. The printed components simply replace the original plate and handle on the interior of the door.
In that case, you might be wondering what the point of all this was. If he’s still using the same internal mechanism, how does a new handle help? On his new handle, [Madalin] has integrated a servo that’s capable of turning the original key in the door. With the servo wired up to a Raspberry Pi, this allows him to lock and unlock the door through his home automation system.
Ready for more speculative execution news? Hope so, because both Intel and AMD are in the news this week.
The first story is Load Value Injection, a different approach to reading arbitrary memory. Rather than try to read protected memory, LVI turns that on its head by injecting data into a target’s data. The processor speculatively executes based on that bad data, eventually discovers the fault, and unwinds the execution. As per other similar attacks, the execution still changes the under-the-hood state of the processor in ways that an attacker can detect.
What’s the actual attack vector where LVI could be a problem? Imagine a scenario where a single server hosts multiple virtual machines, and uses Intel’s Secure Guard eXentensions enclave to keep the VMs secure. The low-level nature of the attack means that not even SGX is safe.
The upside here is that the attack is quite difficult to pull off, and isn’t considered much of a threat to home users. On the other hand, the performance penalty of the suggested fixes can be pretty severe. It’s still early in the lifetime of this particular vulnerability, so keep an eye out for further updates.
AMD’s Takeaway Bug
AMD also found itself on the receiving end of a speculative execution attack (PDF original paper here). Collide+Probe and Load+Reload are the two specific attacks discovered by an international team of academics. The attacks are based around the reverse-engineering of a hash function used to speed up cache access. While this doesn’t leak protected data quite like Spectre and Meltdown, it still reveals internal data from the CPU. Time will tell where exactly this technique will lead in the future.
To really understand what’s going on here, we have to start with the concept of a hash table. This idea is a useful code paradigm that shows up all over the place. Python dictionaries? Hash tables under the hood.
Imagine you have a set of a thousand values, and need to check whether a specific value is part of that set. Iterating over that entire set of values is a computationally expensive proposition. The alternative is to build a hash table. Create an array of a fixed length, let’s say 256. The trick is to use a hash function to sort the values into this array, using the first eight bits of the hash output to determine which array location each value is stored in.
When you need to check whether a value is present in your set, simply run that value through the hash function, and then check the array cell that corresponds to the hash output. You may be ahead of me on the math — yes, that works out to about four different values per array cell. These hash collisions are entirely normal for a hash table. The lookup function simply checks all the values held in the appropriate cell. It’s still far faster than searching the whole table.
AMD processors use a hash table function to check whether memory requests are present in L1 cache. The Takeaway researchers figured out that hash function, and can use hash collisions to leak information. When the hash values collide, the L1 cache has two separate chunks of memory that need to occupy the same cache line. It handles this by simply discarding the older data when loading the colliding memory. An attacker can abuse this by measuring the latency of memory lookups.checking
If an attacker knows the memory location of the target data, he can allocate memory in a different location that will be stored in the same cache line. Then by repeatedly loading his allocated memory, he knows whether the target location has been accessed since his last check. What real world attack does that enable? One of the interesting ones is mapping out the memory layout of ASLR/KASLR memory. It was also suggested that Takeaway could be combined with the Spectre attack.
There are two interesting wrinkles to this story. First, some have pointed out the presence of a thank-you to Intel in the paper’s acknowledgements. “Additional funding was provided by generous gifts from Intel.” This makes it sound like Intel has been funding security research into AMD processors, though it’s not clear what exactly this refers to.
Lastly, AMD’s response has been underwhelming. At the time of writing, their official statement is that “AMD believes these are not new speculation-based attacks.” Now that the paper has been publicly released, that statement will quickly be proven to be either accurate or misinformed.
Closed Source Privacy?
The Google play store and iOS app store is full of apps that offer privacy, whether it be a VPN, adblocker, or some other amazing sounding application. The vast majority of those apps, however, are closed source, meaning that you have little more than trust in the app publisher to ensure that your privacy is really being helped. In the case of Sensor Tower, it seems that faith is woefully misplaced.
A typical shell game is played, with paper companies appearing to provide apps like Luna VPN and Adblock Focus. While technically providing the services they claim to provide, the real aim of both apps is to send data back to Sensor Tower. When it’s possible, open source is the way to go, but even an open source app can’t protect you against a malicious VPN provider.
Does the word “#backdoor” seem frightening? That’s because it’s often used incorrectly – sometimes to deliberately create fear. Watch to learn the truth about backdoors and other types of network access. #cybersecuritypic.twitter.com/NEUXbZbcqw
[Robert Graham] thought the whole story was fishy, and decided to write about it. He makes two important points. First, the Wall Street Journal article cites anonymous US officials. In his opinion, this is a huge red flag, and means that the information is either entirely false, or an intentional spin, and is being fed to journalists in order to shape the news. His second point is that Huawei’s redefinition of government-mandated backdoors as “front doors” takes the line of the FBI, and the Chinese Communist Party, that governments should be able to listen in on your communications at their discretion.
Graham shares a story from a few years back, when his company was working on Huawei brand mobile telephony equipment in a given country. While they were working, there was an unspecified international incident, and Graham watched the logs as a Huawei service tech remoted into the cell tower nearest the site of the incident. After the information was gathered, the logs were scrubbed, and the tech logged out as if nothing had happened.
Did this tech also work for the Chinese government? The NSA? The world will never know, but the fact is that a government-mandated “front door” is still a back door from the users’ perspective: they are potentially being snooped on without their knowledge or consent. The capability for abuse is built-in, whether it’s mandated by law or done in secret. “Front doors” are back doors. Huawei’s gear may not be dirtier than anyone else’s in this respect, but that’s different from saying it’s clean.
Abusing Regex to Fool Google
[xdavidhu] was poking at Google’s Gmail API, and found a widget that caught him by surprise. A button embedded on the page automatically generated an API key. Diving into the Javascript running on that page, as well as an iframe that gets loaded, he arrived at an ugly regex string that was key to keeping the entire process secure. He gives us a tip, www.debuggex.com, a regex visualizer, which he uses to find a bug in Google’s JS code. The essence of the bug is that part of the URL location is interpreted as being the domain name. “www.example.com\.corp.google.com” is considered to be a valid URL, pointing at example.com, but Google’s JS code sees the whole string as a domain, and thinks it must be a Google domain.
For his work, [xdavidhu] was awarded $6,000 because this bit of ugly regex is actually used in quite a few places throughout Google’s infrastructure.
SMBv3 Wormable Flaw
Microsoft’s SMBv3 implementation in Windows 10 and Server 2019 has a vulnerability in how it handles on-the-fly compression, CVE-2020-0796. A malicious packet using compression is enough to trigger a buffer overflow and remote code execution. It’s important to note that this vulnerability doesn’t required an authenticated user. Any unpatched, Internet-accessible server can be compromised. The flaw exists in both server and client code, so an unpatched Windows 10 client can be compromised by connecting to a malicious server.
There seems to have been a planned coordinated announcement of this bug, corresponding with Microsoft’s normal Patch Tuesday, as both Fortinet and Cisco briefly had pages discussing it on their sites. Apparently the patch was planned for that day, and was pulled from the release at the last moment. Two days later, on Thursday the 12th, a fix was pushed via Windows update. If you have Windows 10 machines or a Server 2019 install you’re responsible for, go make sure it has this update, as proof-of-concept code is already being developed.
