This Week In Security: SSH, FTP, And Reptar

November 17, 2023 by 3 Comments

It’s time to strap on our propeller beanies, because we’re going to talk crypto. The short version is that some SSH handshakes can expose enough information for a third party to obtain the host’s private signing key. That key is the one that confirms you are connecting to the SSH server you think you are, and if the key validation fails, you get a big warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

The math that makes this warning work is public-private key cryptography. The problem we’re talking about today only shows up in RSA authentication. Specifically those that use the Chinese Remainder Theorem (CRT) to quickly calculate the modulos needed to generate the cryptographic signature. If something goes wrong during that calculation, you end up with a signature that is mathematically related to the secret key in a different way than intended. The important point is that knowing this extra value *significantly* weakens the security of the secret key.

This attack has been known for quite some time, but the research has been aimed at causing the calculation fault through power vaults or even memory attacks like Rowhammer. There has also been progress on using a lattice attack against captured handshakes, to make the attack practical with less known information. The real novel element of this week’s approach (pdf) is that it has been tested against SSH.

The paper’s authors performed weekly scans of the entire IPv4 public network space, capturing the handshake from any listening SSH server, and also had 5 years of historic data to draw from. And the results are mixed. There is a Cisco SSH server string that is extremely common in the dataset, and only once did one of these machines send a miscalculated handshake. Possibly a random ram bit flip to blame. And on the other hand, the string “SSH-2.0-Zyxel SSH server” had so many bad signatures, it suggests a device that *always* sends a miscalculated signature. Continue reading “This Week In Security: SSH, FTP, And Reptar”

Human AI Pin marketing picture. (Credting: Humane)

The AI Pin: A Smart Body Camera That Wants To Compete With Smartphones

November 11, 2023 by 21 Comments

Seeking to shake up the smartphone market, Humane introduced its ‘AI Pin’, which at first glance looks like someone put a very stylish body camera on their chest. There’s no display, only the 13 MP camera and some other optics visible above what turns out to be a touch panel, which is its main gesture-based input method, while it’s affixed to one’s clothing using either a magnet on the other side of the fabric, a wireless powerbank or a clip. Inside the unit you find a Qualcomm octa-core processor with 4 GB of RAM and 32 GB of eMMC storage, running a custom Android-based ‘Cosmos’ OS.

The AI Pin home screen, demonstrating why hand palms are poor projection surfaces. (Credit: Humane)
The AI Pin home screen, demonstrating why hand palms are poor projection surfaces. (Credit: Humane)

There is also a monochrome (teal) 720p laser projector built-in that provides something of a screen experience, albeit with the expectation that you use your hand (or presumably any other suitable surface) to render it visible. From the PR video it is quite clear that visibility of the projection is highly variable, with much of the text often not remotely legible, or only after some squinting. The hand-based gestures to control the UI (tilting to indicate a direction, touching thumb & index finger together to confirm) are somewhat of a novelty, though this may get tiresome after a day.

An article by [Ron Amadeo] over at Ars Technica also takes a look at the device, where the lack of an app ecosystem is pointed out, as well as the need for a mandatory internet connection (via T-Mobile). Presumably this always-on ‘feature’ is where the ‘AI’ part comes in, as the device has some voice assistant functionality, which seems to rely heavily on remote servers. As a result, this ends up being a quirky device with no third-party app support for a price tag of $700 + the $25/month for online service. Not to mention that people may look a bit odd at you walking around with a body camera-like thing on your chest that you keep rubbing and holding your hand in front of.

To be fair, it’s not often that we see something more quaint in this space come out than Google Glass, now many years ago.

Supercon And Soylent Green

November 11, 2023 by 10 Comments

The 2023 Hackaday Supercon is all done and dusted, and we’re still catching up on our sleep. I couldn’t ask everyone, but a great time was had by everyone I talked to. It’s honestly a very special crowd that shows up in Pasadena every November, and it’s really the attendees who make it what it is. We just provide the platform to watch you shine. Thank you all!

It all started out on Friday with an open day of chilling out and badge experimentation. Well, chill for those of you who didn’t have a bug in their badge code, anyway. But thanks to some very keen observation and fantastic bug reports by attendees, Al and I figured out what we’d done and pushed a fix out to all 300 of the badges that were given out on the first day. And thanks to the remaining 200 folks who walked in the next day, who fixed their own badges at Tom’s Flashing Station.

From then on, it was one great talk after another, punctuated by badge hacks and all the other crazy stuff that people brought along with them to show off. For me, one of the highlights was on Sunday morning, as the Lightning Talks gave people who were there a chance to get up and talk about whatever for seven minutes. And subjects ranged from a mad explosive propane balloon party, to Scotty Allen’s experience with a bad concussion and how he recovered, to a deep dive into the world of LED strands and soft sculptures from our go-to guru of blinkiness, Debra [Geek Mom] Ansell.

Supercon first-timer Katie [Smalls] Connell gave a phenomenal talk about her wearable LED art things, Spritelights. These are far from simple art pieces, being a combination of medical adhesive, home-mixed Galinstan – a metal alloy that stays flexible at human body temperature, and soon even flexible printed batteries. That this whole project hit us without warning from out of the audience just made it more impressive.

And these were just the folks who stepped up on stage. The true story of Supercon also belongs to all the smaller conversations and personal demos taking place in the alley or by the coffee stand. Who knows how many great ideas were hatched, or at least seeds planted?

So as always, thank you all for coming and bringing your passions along with. Just like Soylent Green, Supercon is made of people, and it wouldn’t be half as yummy without you. See you all next year. And if you’re thinking of joining us, get your tickets early and/or submit a talk proposal when the time comes around. You won’t meet a more warm and welcoming bunch of nerds anywhere.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Does Getting Into Your Garage Really Need To Be Difficult?

November 9, 2023 by 78 Comments

Probably the last thing anyone wants when coming home from a long day at work or a trip is to be hassled at the last possible moment — gaining entrance to your house. But for some home automation enthusiasts, that’s just what happened when they suddenly learned that their own garage doors had betrayed them.

The story basically boils down to this: Chamberlain, a US company that commands 60% of the garage door market, recently decided to prevent “unauthorized usage” of their MyQ ecosystem through third-party apps. Once Chamberlain rolled out the change, users of Home Assistant and other unauthorized apps found themselves unable to open or close their doors with the apps they were accustomed to.

Those of us with custom smart home setups can relate to how frustrating it is when something disturbs the systems you’ve spent a lot of time tweaking and optimizing. It’s especially upsetting for users who both Chamberlain hardware specifically because it was supported by Home Assistant, only to have the company decide to drop support. This feels like false advertising, but we strongly suspect that buried in the EULA users must have agreed to at some point is a clause that essentially says, “We can do anything we want and tough noogies to you.” And if you read through the article linked above, you’ll get an idea why Chamberlain did this — they probably didn’t like the idea that users were avoiding their ad-spangled MyQ app for third-party interfaces, depriving them of ad revenue and the opportunity for up-selling.

We feel the frustration of these users, but rather than curse the darkness, perhaps this will light a candle of righteous rage that leads to a clever workaround. The Home Assistant blog article mentions a dongle called ratgdo, which should allow any door with plain old dry contacts to work via MQTT or ESPHome. It’s extra work that users shouldn’t have to put in, but maybe getting one over on The Man would be worth the effort.

Thanks to [KC] for the tip; please keep us posted on your workaround.

How Framework Laptop Broke The Hacker Ceiling

October 30, 2023 by 25 Comments

We’ve been keeping an eye on the Framework laptop over the past two years – back in 2021, they announced a vision for a repairable and hacker-friendly laptop based on the x86 architecture. They’re not claiming to be either open-source or libre hardware, but despite that, they have very much delivered on repairability and fostered a hacker community around the laptop, while sticking to pretty ambitious standards for building upgradable hardware that lasts.

I’ve long had a passion for laptop hardware, and when Hackaday covered Framework announcing the motherboards-for-makers program, I submitted my application, then dove into the ecosystem and started poking at the hardware internals every now and then. A year has passed since then, and I’ve been using a Framework as a daily driver, reading the forums on the regular, hanging out in the Discord server, and even developed a few Framework accessories along the way. I’d like to talk about what I’ve seen unfold in this ecosystem, both from Framework and the hackers that joined their effort, because I feel like we have something to learn from it.

If you have a hacker mindset, you might be wondering – just how much is there to hack on? And, if you have a business mindset, you might be wondering – how much can a consumer-oriented tech company achieve by creating a hacker-friendly environment? Today, I’d like to give you some insights and show cool things I’ve seen happen as an involved observer, as well as highlight the path that Framework is embarking upon with its new Framework 16.

Continue reading “How Framework Laptop Broke The Hacker Ceiling”

Blatano Art Project Tracks Devices In Its Vicinity

October 26, 2023 by 1 Comment

Computers, surveillance systems, and online agents are perceiving us all the time these days. Most of the time, it takes place in the shadows, and we’re supposed to be unaware of this activity going on in the background. The Blatano art piece from [Leigh] instead shows a digital being that actively displays its perception of other digital beings in the world around it.

The project is based on an ESP32, using the BLE Scanner library to scan for Bluetooth devices in the immediate vicinity. Pwnagochi and Hash Monster tools are also used to inspect WiFi traffic, while the CovidSniffer library picks up packets from contact-tracking apps that may be operating in the area.

This data is used to create profiles of various devices that the Blatano can pick up. It then assigns names and little robotic images to each “identity,” and keeps tabs on them over time. It’s an imperfect science, given that some devices regularly change their Bluetooth identifiers and the like. Regardless, it’s interesting to watch a digital device monitor the scene like a wallflower watching punters at a house party.

If you’ve built your own art-surveillance devices to comment on the state of modernity, don’t hesitate to drop us a line!

Building A Robot Bartender For Amazon

October 21, 2023 by 8 Comments

[Audax] built an unassuming side table with a party trick. It could retract a glass inside and fill it up with bourbon. The nifty device gained plenty of positive attention online, leading to a commission from Amazon to build a new version. Thus, [Audax] set about a redesign to create an even more impressive drink delivery system. (Video, embedded below.)

The story is very much one of refinement and optimization, focusing on the challenges of building a customer-facing device. With just six weeks to create the new rig, [Audax] had to figure out how to make the machine sleeker and more compact for its debut at a special event. To achieve this, he eschewed the original frame design made of aluminium extrusion, going for a 3D-printed design instead. The wire nest of the original version was then subsequently eliminated by an outsourced PCB design. Other new features included a mobile app for control and an easier way to adjust pour size, for bigger or smaller drinks as desired. For ease of use, activation is via an Amazon Alexa Skill.

As is so often the way, a last minute hurdle came up, prompting [Audax] to fly to Seattle to troubleshoot the rig on site. Nevertheless, the automatic drink server came good in the end, and delivered on its promise. Video after the break.

Continue reading “Building A Robot Bartender For Amazon”