This Wristwatch Is A Free Form Work Of Art

July 27, 2019 by 4 Comments

Free-form circuitry built as open wire sculpture can produce beautiful pieces of electronics, but it does not always lend itself to situations in which it might be placed under physical stress. Thus the sight of [Mile]’s free-form wristwatch is something of a surprise, as a wristwatch cam be exposed to significant mechanical stress in its everyday use.

A wire Wrencher graces thewe underside.
A wire Wrencher graces the underside.

The electronic side of this watch is hardly unusual, the familiar ATmega328-AU low-power microcontroller drives a tiny OLED display. Mechanically though it is a different story, as the outline of a wristwatch shell is traced in copper wire with a very neat rendition of a Wrencher in its base, and a glass lens is installed over the screen to take the place of a watch glass. A strap completes the wristwatch, which can then be worn like any other. Power comes from a small 110 mAh lithium-polymer cell, which it is claimed gives between 6 and 7 hours of on time and over a month of standby with moderate use.

Unfortunately there does not seem to be much detail about the software in this project, but since ATmega328 clocks and watches are ten a penny we don’t think that’s a problem. The key feature is that free-form construction, and for that we like it a lot.

The HackadayPrize2019 is Sponsored by:

Nixiewatch Looks Stylish In Aluminium

July 23, 2019 by 10 Comments

Nixie tubes are a perennial favorite, with their burnt orange glow bringing a smile to the face of even the most jaded maker. Due to their power requirements they’re usually seen in desktop clocks, but [RemcoK3] decided to whip up a Nixiewatch, with stylish results.

Packing twin Nixie tubes, the watch displays hours first, then minutes. An accelerometer is fitted, switching the tubes on when the user checks the watch. There’s also Bluetooth and WiFi connectivity, which can be used to set the time as well as check the remaining battery life. Standby time is estimated to be 350 hours, thanks to a low-power microcontroller and keeping the tubes off most of the time.

The presentation is where this watch really shines, sporting as it does an RGB LED for backlighting and an attractive aluminium case. The design is simple, helping to highlight the industrial beauty of the Nixie tubes themselves. The housing was first mocked up with 3D printed parts, before the final piece was CNC milled. [RemcoK3] is contemplating anodizing the watch, but we think that the brushed aluminium already looks perfect.

If you’ve grown tired of the Nixie aesthetic, fear not – numitron watches are also a thing!

Watch Earthquake Roll Across A Continent In Seismograph Visualization Video

July 22, 2019 by 23 Comments

If your only exposure to seismologists at work is through film and television, you can be forgiven for thinking they still lay out rolls of paper to examine lines of ink under a magnifying glass. The reality is far more interesting in a field that has eagerly adopted all available technology. A dramatic demonstration of modern earthquake data gathering, processing, and visualization was Tweeted by @IRIS_EPO following a central California quake on July 4th, 2019. In this video can see the quake’s energy propagate across the continental United States in multiple waves of varying speed and intensity. The video is embedded below, but click through to the Twitter thread too as it has a lot more explanation.

The acronym IRIS EPO expands out to Incorporated Research Institutions for Seismology, Education and Public Outreach. We agree with their publicity mission; more people need to know how cool modern seismology is. By combining information from thousands of seismometers, we could see forces that we could not see from any individual location. IRIS makes seismic data available to researchers (or curious data science hackers) in a vast historical database or a real time data stream. Data compilations are presented in several different forms, this particular video is a GMV or Ground Motion Visualization. Significant events like the 4th of July earthquake get their own GMV page where we can see additional details, like the fact this visualization compiled data from 2,132 stations.

If this stirred up interest in seismology, you can join in the fun of networked seismic data. A simple seismograph can be built from quite humble components, but of course there are specially designed chips for the task as well.

Continue reading “Watch Earthquake Roll Across A Continent In Seismograph Visualization Video”

Torturing An Instrumented Dive Watch, For Science

July 18, 2019 by 24 Comments

The Internet is a wild and wooly place where people can spout off about anything with impunity. If you sound like you know what you’re talking about and throw around a few bits of the appropriate jargon, chances are good that somebody out there will believe whatever you’re selling.

Case in point: those that purport that watches rated for 300-meter dives will leak if you wiggle them around too much in the shower. Seems preposterous, but rather than just dismiss the claim, [Kristopher Marciniak] chose to disprove it with a tiny wireless pressure sensor stuffed into a dive watch case. The idea occurred to him when his gaze fell across an ESP-01 module next to a watch on his bench. Figuring the two needed to get together, he ordered a BMP280 pressure sensor board, tiny enough itself to fit anywhere. Teamed up with a small LiPo pack, everything was stuffed into an Invicta dive watch case. A little code was added to log the temperature and pressure and transmit the results over WiFi, and [Kristopher] was off to torture test his setup.

The first interesting result is how exquisitely sensitive the sensor is, and how much a small change in temperature can affect the pressure inside the case. The watch took a simulated dive to 70 meters in a pressure vessel, which only increased the internal pressure marginally, and took a skin-flaying shower with a 2300-PSI (16 MPa) pressure washer, also with minimal impact. The video below shows the results, but the take-home message is that a dive watch that leaks in the shower isn’t much of a dive watch.

Hats off to [Kristopher] for doing the work here. We always love citizen science efforts such as this, whether it’s hardware-free radio astronomy or sampling whale snot with a drone.

Continue reading “Torturing An Instrumented Dive Watch, For Science”

Defeating The Wii Mini As The Internet Watches Over Your Shoulder

July 12, 2019 by 8 Comments

Working under the pressure of being watched on a live feed, [DeadlyFoez] pits himself against the so-called unhackable Wii Mini and shows unprecedented results all while recording hours of footage of his process for others to follow along. We dug through that content to find the gems of the process, the links below include timestamps to those moments.

The Wii Mini is a cost-reduced version of Nintendo’s best-selling console, sold near the end of its life with a few features removed such as GameCube backwards compatibility and SD card support. Along with that, in an effort to thwart the jailbreaking that had plagued its big sister Nintendo made it so the NAND memory (where the system is stored) is encrypted and keyed to each device’s Hollywood GPU chip. This defeats methods which modified the storage in order to gain access to the hardware.

That did not stop [DeadlyFoez] from trying anyway, planning out the steps he needed to achieve a hacked Mini unit with the help of a regular Wii donor, already hacked. After dumping both systems’ NANDs and exploring the Wii Mini hardware further, he found a few pleasant surprises. There are test points on the board which allow GameCube controllers to be used with it. There are also SD card connections physically present on the board, but the support was removed from the Mini’s system software.

The most interesting parts come later on however: by simultaneously swapping NAND and GPU chips between original Wii and Wii Mini, [DeadlyFoez] manages to put together two distinct systems. The first is an original Wii board with the Mini’s chips claimed to be “the first Wii Mini running homebrew software”. The second, filling the opposite side of the equation, with both hardware and software to add SD card and GameCube controller ports to a Wii Mini.

This process of BGA rework in order to mod Nintendo hardware into unorthodox versions of themselves has actually been done before a few years ago, when someone made an unofficial US region non-XL new 3DS by piecing together parts from two separate consoles. Continue reading “Defeating The Wii Mini As The Internet Watches Over Your Shoulder”

This Week In Security: Censoring Researchers, The Death Of OpenPGP, Dereferencing Nulls, And Zoom Is Watching You

July 12, 2019 by 24 Comments

Last week the schedule for our weekly security column collided with the Independence Day holiday. The upside is that we get a two-for-one deal this week, as we’re covering two weeks worth of news, and there is a lot to cover!

[Petko Petrov], a security researcher in Bulgaria, was arrested last week for demonstrating an weakness he discovered in a local government website. In the demonstration video, he stated that he attempted to disclose the vulnerability to both the software vendor and the local government. When his warnings were ignored, he took to Facebook to inform the world of the problem.

From the video, it appears that a validation step was performed on the browser side, easily manipulated by the end user. Once such a flaw is discovered, it becomes trivial to automate the process of scraping data from the vulnerable site. The vulnerability found isn’t particularly interesting, though the amount of data exposed is rather worrying. The bigger story is that as of the latest reports, the local government still intends to prosecute [Petko] for downloading data as part of demonstrating the attack.

Youtube Censorship

We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out @YouTube gave us a strike because we teach about hacking, so we can't upload it. YouTube now bans: "Instructional hacking and phishing: Showing users how to bypass secure computer systems"

In related news, Google has begun cracking down on “Instructional Hacking and Phishing” videos. [Kody] from the Null Byte Youtube channel found himself locked out of his own channel, after receiving a strike for a video discussing a Wifi vulnerability.

The key to getting a video unblocked seems to be generating lots of social media attention. Enough outcry seems to trigger a manual review of the video in question, and usually results in the strike being rescinded.

Improved Zip Bomb

A zip bomb is a small zip file that unzips into a ridiculously large file or collection of files. While there are obvious nefarious uses for such a file, it has also become something of a competition, crafting the most extreme zip bomb. The previous champion was 42.zip, a recursive zip file that when fully extracted, weighs in at 42 petabytes. A new contender may have just taken the crown, and without using zip file recursion.

[David Fifield] discovered a pair of ZIP tricks. First being that multiple files can be constructed from a single “kernel” of compressed data. The second is that file headers could also be part of files to be decompressed. It’s clever work, and much easier to understand when looking at the graphics he put together. From those two points, the only task left is to optimize. Taking advantage of the zip64 format, the final compression ratio was approximately 98 million to one.

Breaking OpenPGP Keyservers

OpenPGP as we know it is on the ropes. OpenPGP is the technique that allows encryption and verification of emails through cryptographic signatures. It’s the grandaddy of modern secure communication, and still widely used today. One of the features of OpenPGP is that anyone can upload their public key to keyservers hosted around the world. Because of the political climate in the early 90’s when OpenPGP was first developed, it was decided that a baked-in feature of the keyserver was that uploaded keys could never be deleted.

Another feature of OpenPGP keys is that one user can use their key to sign another user’s key, formally attesting that it is valid. This creates what is known as a “web of trust”. When an OpenPGP instance validates a signature, it also validates all the attestations attached to that signature. Someone has spammed a pair of OpenPGP certificates with tens of thousands of signatures. If your OpenPGP client refreshes those signatures, and attempts to check the validations, it will grind to a halt under the load. Loading the updated certificate permanently poisons the offline key-store. In some cases, just the single certificate can be deleted, but some users have had to delete their entire key store.

It’s now apparent that parts of the OpenPGP infrastructure hasn’t been well maintained for quite some time. [Robert J. Hansen] has been spearheading the public response to this attack, not to mention one of the users directly targeted. In a follow-up post, he alluded to the need to re-write the keyserver component of OpenPGP, and the lack of resources to do so.

It’s unclear what will become of the OpenPGP infrastructure. It’s likely that the old keyserver network will have to be abandoned entirely. An experimental keyserver is available at keys.openpgp.org that has removed the spammed signatures.

Beware the QR Codes

Link shorteners are a useful way to avoid typing out a long URL, but have a downside — you don’t know what URL you’re going to ahead of time. Thankfully there are link unshorteners, like unshorten.it. Paste a shortlink and get the full URL, so you don’t accidentally visit a shady website because you clicked on a shortened link. [Nick Guarino] over at cofense.com raises a new alarm: QR codes can similarly lead to malicious or questionable websites, and are less easily examined before scanning. His focus is primarily how a QR code can be used to bypass security products, in order to launch a fishing attack.

Most QR scanners have an option to automatically navigate to the web page in the code. Turn this option off. Not only could scanning a QR code lead to a malicious web site, but URLs can also launch actions in other apps. This potential problem of QR codes is very similar to the problem of shortened links — the actual payload isn’t human readable prior to interacting with it, when it’s potentially too late.

Dereferencing Pointers for Fun and Profit

On the 10th, the Eset blog, [welivesecurity], covered a Windows local priveledge escalation 0-day being actively exploited in the wild. The exploit highlights several concepts, one of which we haven’t covered before, namely how to use a null pointer dereference in an exploit.

In C, a pointer is simply a variable that holds a memory location. In that memory location can be a data structure, a string, or even a callable function. By convention, when pointers aren’t referring to anything, they are set to NULL. This is a useful way to quickly check whether a pointer is pointing to live data. The process of interacting with a pointer’s data is known a dereferencing the pointer. A NULL pointer dereference, then, is accessing the data referred to by a pointer that is set to NULL. This puts us in the dangerous territory of undefined behavior.

Different compilers, architectures, and even operating systems will potentially demonstrate different behavior when doing something undefined. In the case of C code on 32-bit Windows 7, NULL is indistinguishable from zero, and memory location zero is a perfectly valid location. In this case, we’re not talking about the physical location zero, but logical address zero. In modern systems, each process has a dedicated pool of memory, and the OS manages the offset and memory mapping, allowing the process to use the simpler logical memory addressing.

Windows 7 has a function, “NtAllocateVirtualMemory”, that allows a process to request access to arbitrary memory locations. If a NULL, or zero, is passed to this function as the memory location, the OS simply picks a location to allocate that memory. What many consider a bug is that this function will effectively round down small memory locations. It’s quite possible to allocate memory at logical address 0/NULL, but is considered to be bad behavior. The important takeaway here is that in Windows 7, a program can allocate memory at a location referred to by a null pointer.

On to the vulnerability! The malicious program sets up a popup menu and submenu as part of its GUI. While this menu is still being initialized, the malicious program cancels the request to set up the menu. By timing the cancellation request precisely, it’s possible for the submenu to still be created, but to be a null pointer instead of the expected object. A second process can then trigger the system process to call a function expected to be part of the object. Because Windows allows the allocation of memory page zero, this effectively hands system level execution to the attacker. The full write-up is worth the time to check out.

Zoom Your Way to Vulnerability

Zoom is a popular web-meeting application, aimed at corporations, with the primary selling point being how easy it is to join a meeting. Apparently they worked a bit too hard on easy meeting joins, as loading a malicious webpage on a Mac causes an automatic meeting join with the mic and webcam enabled, so long as that machine has previous connected to a Zoom meeting. You would think that uninstalling the Zoom client would be enough to stop the madness, but installing Zoom also installs a local webserver. Astonishingly, uninstalling Zoom doesn’t remove the webserver, but it was designed to perpetually listen for a new Zoom meeting attempt. If that sounds like a Trojan to you, you’re not wrong.

The outcry over Zoom’s official response was enough to inform them of the error of their ways. They have pushed an update that removes the hidden server and adds a user interaction before joining a meeting. Additionally, Apple has pushed an update that removes the hidden server if present, and prompts before joining a Zoom meeting.

Wireless Keyboards Letting You Down

Have you ever typed your password using a wireless keyboard, and wondered if you just broadcast it in the clear to anyone listening? In theory, wireless keyboards and mice use encryption to keep eavesdroppers out, but at least Logitech devices have a number of problems in their encryption scheme.

Part of the problem seems to be Logitech’s “Unifying” wireless system, and the emphasis on compatibility. One receiver can support multiple devices, which is helpful when eliminating cable clutter, but also weakens the encryption scheme. An attacker only has to be able to monitor the radio signals during pairing, or even monitoring signals while also observing keypresses. Either way, a few moments of processing, and an attacker has both read and write access to the wireless gear.

Several even more serious problems have fixed with firmware updates in the past years, but [Marcus Mengs], the researcher in question, discovered that newly purchased hardware still doesn’t contain the updated firmware. Worse yet, some of the effected devices don’t have an officially supported firmware update tool.

Maybe wired peripherals are the way to go, after all!

Neat Smart(ish) Watch Build Uses BLE

June 17, 2019 by 6 Comments

Digital watches are a pretty neat idea, and are a great way to experiment with designing and building low-power circuits. That’s what [Eric Min] did with this neat smart watch build. It’s based around an nRF52832 SoC that does all of the heavy lifting, including connecting to a smartphone to get the time when the battery is replaced. It also has a decent quantity of blinky LEDs, which is important on any project of this type.

Continue reading “Neat Smart(ish) Watch Build Uses BLE”