Inside Two-Factor Authentication Apps

Passwords are in a pretty broken state of implementation for authentication. People pick horrible passwords and use the same password all over the place, firms fail to store them correctly and then their databases get leaked, and if anyone’s looking over your shoulder as you type it in (literally or metaphorically), you’re hosed. We’re told that two-factor authentication (2FA) is here to the rescue.

Well maybe. 2FA that actually implements a second factor is fantastic, but Google Authenticator, Facebook Code Generator, and any of the other app-based “second factors” are really just a second password. And worse, that second password cannot be stored hashed in the server’s database, which means that when the database is eventually compromised, your “second factor” blows away with the breeze.

Second factor apps can improve your overall security if you’re already following good password practices. We’ll demonstrate why and how below, but the punchline is that the most popular 2FA app implementations protect you against eavesdropping by creating a different, unpredictable, but verifiable, password every 30 seconds. This means that if someone overhears your login right now, they wouldn’t be able to use the same login info later on. What 2FA apps don’t protect you against, however, are database leaks.

Continue reading “Inside Two-Factor Authentication Apps”

Oh Great, WPA2 Is Broken

WPA2, the standard security for Wi-Fi networks these days, has been cracked due to a flaw in the protocol. Implications stemming from this crack range from decrypting Wi-Fi, hijacking connections, and injecting content. It’s fair to say, WPA2 is now Considered Harmful. The paper is available here (PDF).

This is a proof-of-concept exploit, and like all headline-making network security stories, it has a name. It’s called KRACK, for Key Reinstallation Attack. The key insight to this exploit is a vulnerability in the handshaking between routers and devices to establish a secure connection.

This is not the first time the researchers behind this exploit have found holes in WPA2. In a paper published by the KRACK researchers at the USENIX Symposium last August (PDF), they showed that the Random Number Generator used in 802.11 is flawed, ill-defined, and insecure. The researchers have also spoken at 33c3 on predicting WPA2 Group Keys.

The practical consequences of a poor definition and implementation of an RNG can be found in consumer hardware. The researchers found that in MediaTek-based routers, the only source of randomness is the current time. Meanwhile Broadcom-based routers do not use the RNG proposed by the 802.11 spec, but instead take the MD5 of the current time in microseconds. The researchers do not mention if the current time is a secret.

So what do we do now?

This has happened before. In 2001, WEP, the Wi-Fi security protocol many security-ignorant people are still running, was cracked in much the same was as KRACK. This quickly led to the development of Aircrack, and in 2003, the Wi-Fi Alliance rolled out WPA and WPA2. Sure, you can still select a deprecated security protocol for your router, but the problem of WEP hacking is as solved as it’s ever going to be.

The early 2000s were a different time when it came to wireless networks, though here in 2017 Wi-Fi permeates every cubic inch of our lives. Everything and everyone has Wi-Fi now. This is going to be a bit bigger than cracking WEP, but it remains possible to patch devices to ensure that this exploit is rendered useless. Install those security updates, people! Of course there will still be millions of unpatched devices in a year’s time, and for those routers, IoT baubles, and other wireless devices, turning on WPA2 will be akin to having no security at all.

That said, this isn’t a world-ending Armageddon in the way the botnet of webcams was. You will only be vulnerable if an attacker is within range of your router, and you will still be secure if you’re accessing secure websites. However, turning off Wi-Fi on your phone, relying on mobile data, not ignoring HTTPS cert warnings, and plugging into an Ethernet port might not be a bad idea.

Why Not Expose Your PCBs Through An LCD?

Most people who have dabbled in the world of electronic construction will be familiar in some form with the process of producing a printed circuit board by exposing a UV sensitive coating through a transparent mask, before moving on to etching. Older readers will have created their masks by hand with crêpe paper tape on acetate, while perhaps younger ones started by laser-printing from their CAD package.

How about a refinement of the process, one which does away with the acetate mask entirely? [Ionel Ciobanuc] may have the answer, in the form of an exposure through an LCD screen. The video below the break shows how it’s done, starting with a (probably a bit too lengthy) sequence on applying the photo-resist coating to the board, and then sitting LCD on top of UV lamp with the board positioned at the top of the pile.

It’s an interesting demonstration, and one that certainly removes a step in the process of PCB creation as it brings the pattern direct from computer to board without an intermediate. Whether or not it’s worth the expenditure on an LCD is up to you, after all a sheet of acetate is pretty cheap and if you already have a laser printer you’re good to go. We’re curious to know whether or not any plastic components in the LCD itself might be damaged by long-term exposure to intense UV light.

Continue reading “Why Not Expose Your PCBs Through An LCD?”

LEGO Row Boat Is The Poolside Companion You Didn’t Know You Needed

Maybe it’s the upbeat music, or the views of a placid lake at sunset, or perhaps it’s just seeing those little plastic rods pumping away with all their might. Whatever the reason may be, the video [Vimal Patel] posted of his little remote controlled LEGO row boat cruising around on the open water is sure to put a smile on the face of even the most jaded hacker.

[Vimal] tells us that his creation is made up of over 140 unmodified LEGO parts, and is controlled over Bluetooth which connects to an app on his phone. While we would like to see some more detail on the reciprocating module he came up with to drive the boat’s paddles, we have to admit that the images he provided in his flickr album for the project are impeccable overall. If the toy boat game doesn’t work out for [Vimal], we think he definitely has what it takes to get into the advertising department for a car manufacturer.

[Vimal] was even kind enough to provide a LEGO Digital Designer file for the project, which in the world of little rainbow colored blocks is akin to releasing the source code, so you can build up your own fleet before next summer.

It’s worth noting that [Vimal] is something of a virtuoso in the world of modular building blocks, and no stranger here at Hackaday. His self lacing shoe impressed earlier this year, and this isn’t even his first LEGO watercraft.

All he has to do now to reach the true pinnacle of LEGO construction is to start building with giant versions of everyone’s favorite block.

Continue reading “LEGO Row Boat Is The Poolside Companion You Didn’t Know You Needed”

Xerox Alto CRTs Needed a Tiny Lightbulb to Function

In the real world, components don’t work like we imagine they do. Wires have resistance, resistors have inductance, and capacitors have resistance. However, some designers like to take advantage of those imperfections, something our old friend [Ken Shirriff] noted when he was restoring the CRT of a Xerox Alto.

[Ken] tried to connect a Xerox monitor to the Alto and — since it was almost as old as the Alto — he wasn’t surprised that it didn’t work. What did surprise him, though, is that when he turned the monitor off, a perfect picture appeared for just a split second as the unit powered off. What could that mean?

Keep in mind this is a CRT device. So a perfect picture means you have vertical and horizontal sweep all at the right frequency. It also means you have high voltage and drive on the electron guns. If you are too young to remember all that, [Ken] covers the details in his post.

He found that the CRT grid voltage wasn’t present during operation. The voltage derived from the high voltage supply but, mysteriously, the high voltage was fine. There was a small lightbulb in the grid voltage circuit. A 28V device about like a flashlight bulb. It measured open and that turned out to be due to a broken lead. Repairing the broken lead to the bulb put the monitor back in operation.

On paper, a light bulb lights up when you put current through it. In real life, it is a bit more complicated. An incandescent filament starts off as almost a dead short and draws a lot of current for a very brief time. As the current flows, the filament gets hot and the resistance goes up. That reduces the current draw. This effect — known as inrush current — is the scourge of designers trying to turn on light bulbs with transistors or other electronic switches.

However, the unknown Xerox power supply designer used that effect as a current limiter. The short 600V pulses would hardly notice the light bulb but if too much current or time elapsed, the resistance of the bulb would rise preventing too much current from flowing for too long. With the bulb open, the negative brightness grid provided an impassible barrier to the electrons. Apparently, the brightness grid lost power a bit earlier than the rest of the circuit and with it out of the way — or perhaps, partially out of the way — the picture was fine until the rest of the circuit also lost power.

We looked at [Ken’s] efforts on this machine earlier this year. Light bulbs, by the way, aren’t the only thing that changes resistance in response to some stimulus. You might enjoy the 1972 commercial from Xerox touting the Alto’s ability to do advanced tasks like e-mail and printing.

Continue reading “Xerox Alto CRTs Needed a Tiny Lightbulb to Function”

Hackaday Links: October 15, 2017

For the last few months we’ve been running The Hackaday Prize, a challenge for you to build the best bit of hardware. Right now — I mean right now — you should be finishing up your project, crossing your t’s and dotting your lowercase j’s. The last challenge in the Prize ends tomorrow. After that, we’re going to pick 20 finalists for the Anything Goes challenge, then send the finalists off to our fantastic team of judges. Time to get to work! Make sure your project meets all the requirements!

It’s been a few weeks, so it’s time to start talking about Star Trek. I’m paying ten dollars a month to watch Star Trek: Discovery. I was going to pay that anyway, but I think this might actually be worth it. Highlights include Cardassian voles and Gorn skeletons. Also on the Star Trek front is The Orville, [Seth MacFarlane]’s TNG-inspired show. The Orville has far surpassed my expectations and is more Star Trek than Discovery. Leave your thoughts below.

It’s a new edition of Project Binky! Two blokes are spending years stuffing a 4WD Celica into a Mini. It’s the must-watch YouTube series of the decade.

AstroPrint now has an app. If you’re managing a 3D printer remotely and you’re not using Octoprint, you’re probably using AstroPrint. Now it’s in app format.

Have fifty bucks and want to blow it on something cool? A company is selling used LED display tiles on eBay. You get a case of ten for fifty bucks. Will you be able to drive them? Who knows and who cares? It’s fifty bucks for massive blinkies.

[Peter] is building an ultralight in his basement. For this YouTube update, he’s making the wings.

Oh it’s deer season, so here’s how you make deer jerky.

If you’re messing around with Z-Wave modules and Raspberry Pis, there’s a contest for you. The grand prize is an all-expense paid trip to CES2018 in Las Vegas. Why anyone would be enthusiastic about a trip to CES is beyond me, but the Excalibur arcade has Crazy Taxi, so that’s cool.

Go is the language all the cool kids are using. GoCV gives Go programmers access to OpenCV.

Hackaday Prize Entry: Modular, Rapid Deployment Power Station

After a disaster hits, one obvious concern is getting everyone’s power restored. Even if the power plants are operational after something like a hurricane or earthquake, often the power lines that deliver that energy are destroyed. While the power company works to rebuild their infrastructure, [David Ngheim]’s mobile, rapid deployment power station can help get people back on their feet quickly. As a bonus, it uses renewable energy sources for power generation.

The modular power station was already tested at Burning Man, providing power to around 100 people. Using sets of 250 Watt panels, wind turbines, and scalable battery banks, the units all snap together like Lego and can fit inside a standard container truck or even the back of a pickup for smaller sizes. The whole thing is plug-and-play and outputs AC thanks to inverters that also ship with the units.

With all of the natural disasters we’ve seen lately, from Texas to Puerto Rico to California, this entry into the Hackaday Prize will surely gain some traction as many areas struggle to rebuild their homes and communities. With this tool under a government’s belt, restoration of power at least can be greatly simplified and hastened.