2024 Home Sweet Home Automation: The Winners Are In

April 30, 2024 by 13 Comments

Home automation is huge right now in consumer electronics, but despite the wide availability of products on the market, hackers and makers are still spinning up their own solutions. It could be because their situations are unique enough that commercial offerings wouldn’t cut it, or perhaps they know how cheaply many automation tasks can be implemented with today’s microcontrollers. Still others go the DIY route because they’re worried about the privacy implications of pushing such a system into the cloud.

Seeing how many of you were out there brewing bespoke automation setups gave us the idea for this year’s Home Sweet Home Automation contest, which just wrapped up last week. We received more than 80 entries for this one, and the competition was fierce. Judging these contests is always exceptionally difficult, as nearly every entry is a standout accomplishment in its own way.

But the judges forged ahead valiantly, and we now have the top three projects which will be receiving $150 in store credit from the folks at DigiKey.

Continue reading “2024 Home Sweet Home Automation: The Winners Are In”

This Week In Security: Putty Keys, Libarchive, And Palo Alto

April 19, 2024 by 3 Comments

It may be time to rotate some keys. The venerable PuTTY was updated to 0.81 this week, and the major fix was a change to how ecdsa-sha2-nistp521 signatures are generated. The problem was reported on the oss-security mailing list, and it’s quite serious, though thankfully with a somewhat narrow coverage.

The PuTTY page on the vulnerability has the full details. To understand what’s going on, we need to briefly cover ECDSA, nonces, and elliptic curve crypto. All cryptography depends on one-way functions. In the case of RSA, it’s multiplying large primes together. The multiplication is easy, but given just the final result, it’s extremely difficult to find the two factors. DSA uses a similar problem, the discrete logarithm problem: raising a number to a given exponent, then doing modulo division.

Yet another cryptography primitive is the elliptic curve, which uses point multiplication as the one-way function. I’ve described it as a mathematical pinball, bouncing around inside the curve. It’s reasonably easy to compute the final point, but essentially impossible to trace the path back to the origin. Formally this is the Elliptic Curve Discrete Logarithm Problem, and it’s not considered to be quantum-resistant, either.

One of the complete schemes is ECDSA, which combines the DSA scheme with Elliptic Curves. Part of this calculation uses a nonce, denoted “k”, a number that is only used once. In ECDSA, k must be kept secret, and any repetition of different messages with the same nonce can lead to rapid exposure of the secret key.

And now we get to PuTTY, which was written for Windows back before that OS had any good cryptographic randomness routines. As we’ve already mentioned, re-use of k, the nonce, is disastrous for DSA. So, PuTTY did something clever, and took the private key and the contents of the message to be signed, hashed those values together using SHA-512, then used modulo division to reduce the bit-length to what was needed for the given k value. The problem is the 521-bit ECDSA, which takes a 521-bit k. That’s even shorter than the output of a SHA-512, so the resulting k value always started with nine 0 bits. Continue reading “This Week In Security: Putty Keys, Libarchive, And Palo Alto”

Microsoft Killed My Favorite Keyboard, And I’m Mad About It

April 16, 2024 by 65 Comments

As a professional writer, I rack up thousands of words a day. Too many in fact, to the point where it hurts my brain. To ease this burden, I choose my tools carefully to minimize obstructions as the words pour from my mind, spilling through my fingers on their way to the screen.

That’s a long-winded way of saying I’m pretty persnickety about my keyboard. Now, I’ve found out my favorite model has been discontinued, and I’ll never again know the pleasure of typing on its delicate keys. And I’m mad about it. Real mad. Because I shouldn’t be in this position to begin with!

Continue reading “Microsoft Killed My Favorite Keyboard, And I’m Mad About It”

USB HID And Run Exposes Yet Another BadUSB Surface

April 4, 2024 by 20 Comments

You might think you understand the concept of BadUSB attacks and know how to defend it, because all you’ve seen is opening a terminal window. Turns out there’s still more attack surface to cover, as [piraija] tells us in their USB-HID-and-run publication. If your system doesn’t do scrupulous HID device filtering, you might just be vulnerable to a kind of BadUSB attack you haven’t seen yet, rumoured to have been the pathway a few ATMs got hacked – simply closing the usual BadUSB routes won’t do.

The culprit is the Consumer Control specification – an obscure part of HID standard that defines media buttons, specifically, the “launch browser” and “open calculator” kinds of buttons you see on some keyboards, that operating systems, surprisingly, tend to support. If the underlying OS you’re using for kiosk purposes isn’t configured to ignore these buttons, they provide any attacker with unexpected pathways to bypass your kiosk environment, and it works astonishingly well.

[piraija] tells us that this attack provides us with plenty of opportunities, having tested it on a number of devices in the wild. For your own tests, the writeup has Arduino example code you can upload onto any USB-enabled microcontroller, and for better equipped hackers out there, we’re even getting a Flipper Zero application you can employ instead. While we’ve seen some doubts that USB devices can be a proper attack vector, modern operating systems are more complex and bloated than even meets the eye, often for hardly any reason – for example, if you’re on Windows 10 or 11, press Ctrl+Shift+Alt+Win+L and behold. And, of course, you can make a hostile USB implant small enough that you can build them into a charger or a USB-C dock.

USB image: Inductiveload, Public domain.

OSHW Framework Laptop Expansion Hides Dongles

April 1, 2024 by 16 Comments

If you’ve got a wireless keyboard or mouse, you’ve probably got a receiver dongle of some sort tucked away in one of your machine’s USB ports. While modern technology has allowed manufacturers to shrink them down to the point that they’re barely larger than the USB connector itself, they still stick out enough to occasionally get caught on things. Plus, let’s be honest, they’re kind of ugly.

For owners of the Framework laptop, there’s now a solution: the DongleHider+ by [LeoDJ]. This clever open source hardware project is designed to bring these little receivers, such as the Logitech Unifying Dongle, into one of the Framework’s Expansion bays. The custom PCB is designed with a large notch taken out to fit the dongle’s PCB, all you need to do is solder it in with four pieces of stiff wire.

Continue reading “OSHW Framework Laptop Expansion Hides Dongles”

five 100% recycled keycaps, spaced out

These Keycaps Are 100% Recycled Plastic

March 20, 2024 by 4 Comments

Artisan keycaps are generally meant to replace your Escape key, though they can be used anywhere you like (as long as they fit, of course). Keycap maker [tellybelly] of jankycaps has been experimenting with making keycaps out of 100% recycled plastic, and offers an interesting post detailing their development and production process.

Animation of injection molding flow into a set of four keycaps.What do you do when normal injection molding tooling is out of your budget, and silicone molds simply won’t do? You turn to 3D printing if you can. In this case, [tellybelly] and company found a resin designed to withstand high temperatures.

[tellybelly] was able to design the mold using a plethora of online resources, and even verified the flow using a special program. Although the first two versions worked, they had some flaws. Third time’s the charm, though, and then it was time to sort plastic and fire up the shredder.

After heating up the shreds to 200 °C or so, it was time to start the injecting. This part isn’t exactly a cakewalk — mixing different plastics together can vary the workable temperature range that doesn’t degrade the plastic. Although it sounds like the end, [tellybelly] reports that they spent just as much time here as they did at the drawing board, experimenting with pressure on the mold, various cool-down methods, and how long to wait before opening the mold.

Via reddit

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The Offset-Stem Keycaps

March 18, 2024 by 3 Comments

Image by [Leo_keeb] via reddit
Love it or hate it, I think this is a really cool idea. [Leo_keeb] has designed a new set of keycaps for the Happy Hacking Keyboard (HHKB). The keycaps’ stems are offset to the left or right in order to turn this once-staggered keyboard into an ortholinear object.

So, how do they feel? There is a slight wobble to them, according to [Leo_keeb] — it’s a bit like pressing the left or right side of Tab. But the actuation is smooth, they say.

As you can see, these resin keycaps weren’t designed with the typical Cherry MX profile in mind, they are made for the Topre capacitive key switches of the HHKB. (No, those aren’t weird rubber domes.)

When I asked about sharing the STLs, [Leo_keeb] advised me that they might be willing to release STLs for  Cherry MX switches in the US layout if there is enough interest.

Continue reading “Keebin’ With Kristina: The One With The Offset-Stem Keycaps”