Recently, you might have noticed a flurry of CH552 projects on Hackaday.io – all of them with professionally taken photos of neatly assembled PCBs, typically with a USB connector or two. You might also have noticed that they’re all built by one person, [Stefan “wagiminator” Wagner], who is a prolific hacker – his Hackaday.io page lists over a hundred projects, most of them proudly marked “Completed”. Today, with all these CH552 mentions in the Hackaday.io’s “Newest” category, we’ve decided to take a peek.
[Stefan]’s seriously put the CH552 to the test, and given that all of these projects got firmware, having these projects as examples is a serious incentive for more hackers to try these chips out, especially considering that the CH552 and CH554 go for about 50 cents a piece at websites like LCSC, and mostly in friendly packages. We did cover these two chips back in 2018, together with a programming guide, and we’ve seen things like badges built with its help, but having all these devices to follow is a step up in availability – plus, it’s undeniable that all the widgets built are quite useful by themselves!
For those of us who like to crawl over complex systems, spending hours or even days getting hardware and software to work in concert, working at places like NASA or CERN seems like a dream job. Imagine having the opportunity to turn a wrench on the Space Shuttle or the Large Hadron Collider (LHC) — not only do you get to spend some quality time with some of the most advanced machines ever produced, you can be secure in the knowledge that your work will further humanity’s scientific understanding of the universe around us.
Or at least, that’s what we assume it must feel like as outsiders. But what about somebody who’s actually lived it? What does an actual employee, somebody who’s had to wake up in the middle of the night because some obscure system has gone haywire and stalled a machine that cost taxpayers $4.75 billion to build, think about working at the European Organization for Nuclear Research? Continue reading “Daniel Valuch Chats About CERN’s High Caliber Hacking”→
While we’re told that space-time curves, we aren’t sure that was what [andrei.erdei] was going for when he built a great-looking curved LED clock. The LEDs are courtesy of a strip of 84 WS2812 smart LEDs, the curve comes from a 3D printed part, and a Wemos D1 mini provides the brains.
Like all of our favorite clocks, this one has a unique way of displaying the time. If you find the description in the post hard to understand, the video below makes it a bit easier to wrap your head around. Note the time appears in the top left corner of the video in several cases — so you can check to see if you’re reading it correctly.
The secret sauce, of course, is the curved plastic grid that holds the LEDs. Because of the unusual shape, supports are a must and there are notes in the post about the settings used to get the best results. With 84 LEDs, the software has to be careful not to turn them to full brightness at one time, or else the clock would need a 6 amp power supply. Instead, the software limits the brightness to a little less than half of the maximum. No LED is ever white, and not all LEDs are on at once. The clock works easily, according to [andrei], with a 2 A supply. The clock has a WiFi connection where you can set things up easily.
Overall, a nice-looking project that would look at home on a science fiction movie set. We’ve seen color clocks before. If you want to economize on LEDs, we’ve seen a clock with only five!
Michael Whiteley (aka [compukidmike]) is a badgelife celebrity. Together, he and his wife Katie make up MK Factor. They have created some of the most popular electronic conference badges. Of course, even experts make mistakes and run into challenges when they dare to push the envelope of technology and delivery schedules. In his Supercon 2022 talk, There’s No Rev 2: When Badgelife Goes Wrong, Mike shares details from some of his worst badge snafus and also how he managed to gracefully pull them back from the edge of disaster.
Living the Badgelife
Attendees at the world’s largest hacker convention, DEF CON in Las Vegas, had already become accustomed to receiving and wearing very cool and novel admission tokens, more properly known as badges. Then in 2006, at DEF CON 14, everything changed. Designed by Joe Grand, the first electronic DEF CON badge was a circuit board featuring a tiny PIC microcontroller, two LEDs, and a single pushbutton. Badgelife was born.
DEF CON 30 Humans Sampling Board
Mike begins his war stories with one about the DEF CON 30 badge. This was a herculean project with 25,000 badges being produced on a short timeline in the ever-changing chaos of a semiconductor supply-chain meltdown. Even though many regard it as one of the best DEF CON badges ever made, the DC30 badge posed a number of challenges to its creators. Microcontrollers were in short supply during 2021 and 2022 forcing the badge team to keep an eye on component vendor supplies in order to snipe chips as soon as they appeared in stock. The DC30 badge was actually redesigned repeatedly as different microcontrollers fluctuated in and out of supply. Continue reading “Supercon 2022: Michael Whiteley Saves The Badge”→
This week, Editor-in-Chief Elliot Williams and [former Assignments Editor] Kristina Panos stood around talking about the greatest hacks of the previous week. But first, we’ve got a contest running now through March 21st — the Low Power Challenge!
Kristina almost got What’s That Sound this week, but could only describe it as some sort of underwater organ, so still no t-shirt for her. But [BalkanBoy] knew exactly what it was — the Zadar Sea Organ in Croatia. Then it’s on to the hacks, beginning with the most beautiful sea of 7-segments you’ll likely ever see. We gush over a tiny PC in a floppy drive that uses custom cartridges, dish about an expressive synth that uses a flexure mechanism, and enjoy a loving ode to the vacuum fluorescent display.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode inΒ the comments!
As society transitions toward renewable energy sources, energy storage inevitably comes to mind. Researchers at the University of Illinois at Urbana-Champaign have found one way to store renewable energy that re-purposes existing fossil fuel infrastructure.
While geothermal electricity generation shows a lot of promise, it’s currently limited to a select few areas where hot rock is close to the Earth’s surface. Advanced Geothermal Energy Storage (AGES) stores energy underground as heat and recovers it later, even in places without high subsurface temperatures. For this study, the researchers located an old oil well and instrumented it with “flow meters, fiber optic
distributed temperature sensing (DTS) cable, surface pressure and temperature gauges, and downhole pressure and temperature gauges to monitor the thermal and hydraulic changes during the injection test.”
This field study found that AGES system efficiency could be as high as 82% and yield an “economically viable” levelized cost of electricity (LCOE) of $0.138/kWh. Using existing deep hole infrastructure speeds up site selection and deployment of AGES when compared to developing on an undisturbed location, making this a very interesting way to deploy grid-scale storage rapidly.
Researchers at Sonar took a crack at OpenEMR, the Open Source Electronic Medical Record solution, and they found problems. Tthe first one is a classic: the installer doesn’t get removed by default, and an attacker can potentially access it. And while this isn’t quite as bad as an exposed WordPress installer, there’s a clever trick that leads to data access. An attacker can walk through the first bits of the install process, and specify a malicious SQL server. Then by manipulating the installer state, any local file can be requested and sent to the remote server.
There’s a separate set of problems that can lead to arbitrary code execution. It starts with a reflected Cross Site Scripting (XSS) attack. That’s a bit different from the normal XSS issue, where one user puts JavaScript on the user page, and every user that views the page runs the code. In this case, the malicious bit is included as a parameter in a URL, and anyone that follows the link unknowingly runs the code.
And what code would an attacker want an authenticated user to run? A file upload, of course. OpenEMR has function for authenticated users to upload files with arbitrary extensions, even .php. The upload folder is inaccessible, so it’s not exploitable by itself, but there’s another issue, a PHP file inclusion. Part of the file name is arbitrary, and is vulnerable to path traversal, but the file must end in .plugin.php. The bit of wiggle room on the file name on both sides allow for a collision in the middle. Get an authenticated user to upload the malicious PHP file, and then access it for instant profit. The fixes have been available since the end of November, in version 7.0.0-patch-2.
Bing Chat Injection
Or maybe it’s AI freedom. So, the backstory here is that the various AI chat bots are built with rules. Don’t go off into political rants, don’t commit crimes, and definitely don’t try to scam the users. One of the more entertaining tricks clever users have discovered is to tell a chatbot to emulate a personality without any such rules. ChatGPT can’t comment on political hot button issues, but when speaking as DAN, anything goes.
Arrrrr
This becomes really interesting when Bing Chat ingests a website that has targeted prompts. It’s trivial to put text on a web page that’s machine readable and invisible to the human user. This work puts instructions for the chat assistant in that hidden data, and demonstrates a jailbreak that turns Bing Chat malicious. The fun demonstration convinces the AI to talk like a pirate — and then get the user to click on an arbitrary link. The spooky demo starts out by claiming that Bing Chat is down, and the user is talking to an actual Microsoft engineer.
LastPass Details — Plex?
Last time we talked about the LastPass breach, we had to make some educated guesses about how things went down. There’s been another release of details, and it’s something. Turns out that in one of the earlier attacks, an encrypted database was stolen, and the attackers chose to directly target LastPass Engineers in an attempt to recover the encryption key.
According to Ars Technica, the attack vector was a Plex server run by one of those engineers. Maybe related, at about the same time, the Plex infrastructure was also breached, exposing usernames and hashed passwords. From this access, attackers installed a keylogger on the developer’s home machine, and captured the engineer’s master password. This allowed access to the decryption keys. There is some disagreement about whether this was/is a 0-day vulnerability in the Plex software. Maybe make sure your Plex server isn’t internet accessible, just to be safe.
There’s one more bit of bad news, particularly if you use the LastPass Single Sign On (SSO) service. That’s because the SSO secrets are generated from an XOR of two keys, K1 and K2. K1 is a single secret for every user at an organization. K2 is the per-user secret stored by Lastpass. And with this latest hack, the entire database of K2 secrets were exposed. If K1 is still secret, all is well. But K1 isn’t well protected, and is easily accessed by any user in the organization. Ouch.
The Ring Alien
Turns out, just like a certain horror movie, there is a video that the very watching causes death. If you happen to be a Pixel phone, that is. And “death” might be a bit of an exaggeration. Though the video in question certainly nails the vibe. Playing a specific YouTube clip from Alien will instantly reboot any modern Pixel phone. A stealth update seems to have fixed the issue, but it will be interesting to see if we get any more details on this story in the future. After all, when data can cause a crash, it can often cause code execution, too.
In-The-Wild
The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of bugs that are known to be under active exploitation, and that list just recently added a set of notches. CVE-2022-36537 is the most recent, a problem in the ZK Framework. That’s an AJAX framework used in many places, notable the ConnectWise software. Joining the party are CVE-2022-47986, a flaw in IBM Aspera Faspex, a file transfer suite, and CVE-2022-41223 and CVE-2022-40765, both problems in the Mitel MiVoice Business phone system.
Bits and Bytes
There’s yet another ongoing attack against the PyPI repository, but this one mixes things up a bit by dropping a Rust executable as one stage in a chain of exploitation. The other novel element is that this attack isn’t going after typos and misspellings, but seems to be a real-life dependency confusion attack.
The reference implementation of the Trusted Platform Module 2.0 was discovered to contain some particularly serious vulnerabilities. The issue is that a booted OS could read and write two bytes beyond it’s assigned data. It’s unclear weather that’s a static two bytes, making this not particularly useful in the real world, or if these reads could be chained together, slowly leaking larger chunks of internal TPM data.
And finally, one more thing to watch out for, beware of fake authenticator apps. This one is four years old, has a five star rating, and secretly uploads your scanned QR codes to Google Analytics, exposing your secret authenticator key. Yoiks.
![A Hackaday.io page screenshot, showing all the numerous CH552 projects from [Stefan].](https://hackaday.com/wp-content/uploads/2023/02/hadimg_ch552_projects_feat.png?w=600&h=450)
