DEF CON 27: The Badge Talk; Or That One Time Joe Grand Sourced 30,000 Gemstones

August 9, 2019 by Mike Szczys 12 Comments

Yesterday we published a first look at the hardware found on the DEF CON 27 badge. Sporting a magnetically coupled wireless communications scheme rather than an RF-based one, and an interesting way to attach the lanyard both caught my attention right away. But the gemstone faceplate and LED diffuser has its own incredible backstory you don’t want to miss.

This morning Joe Grand — badge maker for this year and many of the glory years of hardware badges up through DC18 — took the stage to share his story of conceptualizing, prototyping, and shepherding the manufacturing process for 28,500 badges. Imagine the pressure of delivering a delightful concept, on-time, and on budget… well, almost on budget. During the talk he spilled the beans on the quartz crystal hanging off the front side of every PCB.

Continue reading “DEF CON 27: The Badge Talk; Or That One Time Joe Grand Sourced 30,000 Gemstones” →

3D Printing Makes Modular Payload For Model Rocket

August 9, 2019 by Donald Papp 2 Comments

Putting payloads into model rockets can be more complex than simply shoving stuff into an open spot, so [concretedog] put some work into making a modular payload tube for his current rocket. The nose cone for his rocket is quite large, so he opted to give it a secure payload area that doesn’t compromise or interfere with any of the structural or operational bits such as the parachute.

The payload container is a hollow tube with a 3D printed threaded adaptor attached to one end. Payload goes into the tube, and the tube inserts into a hole in the bulkhead, screwing down securely. The result is an easy way to send up something like a GPS tracker, possibly with a LoRa module attached to it. That combination is a popular one with high-altitude balloons, which, like rockets, also require people to retrieve them after not-entirely-predictable landings. LoRa wireless communications have very long range, but that doesn’t help if there’s an obstruction like a hill between you and the transmitter. In those cases, a simple LoRa repeater attached to a kite, long pole, or drone can save the day.

We’ve seen [concretedog]’s work before, when he designed stackable PCBs intended to easily fit inside model rocket bodies, allowing for easy integration of microcontroller-driven functions like delayed ignitions or altimeter triggers. Better development tools, hardware, and 3D printing has really helped make smarter rocketry more accessible to hobbyists.

A Macro Keyboard In A Micro Package

August 9, 2019 by Erin Pinheiro 9 Comments

Remember back in the early-to-mid 2000s when pretty much every cheap USB keyboard you could find started including an abundance of media keys in its layout? Nowadays, especially if you have a customized or reduced-sized mechanical keyboard, those are nowhere to be seen. Whenever our modern selves need those extra keys, we have to turn to external peripherals, and [Gary’s] Knobo is one that looks like it could’ve come straight out of a fancy retail package.

The Knobo is a small macro keypad with 8 mechanical Cherry-style keys and a clickable rotary encoder knob as its main feature. Each key and knob gesture can be customized to any macro, and with five gestures possible with the knob, that gives you a total of thirteen inputs. On top of that, the build and presentation look so sleek and clean we’d swear this was a product straight off of Teenage Engineering’s money-printing machine.

The actions you can do with those inputs range from simple media controls with a volume knob all the way to shortcuts to make a Photoshop artist’s life easier. Right now you can only reprogram the Knobo’s Arduino-based firmware with an In-Circuit Serial Programmer to change what the inputs do, but [Gary] is currently working on configuration software so that users without any programming knowledge will be able to customize it too.

Knobs are just one of those things that everyone wants to use to control their computers, much like giant red buttons. Alternative input devices can range from accessibility-designed to just downright playful. Whatever the inspiration is for them, it’s always nice to see the creativity of these projects.

Continue reading “A Macro Keyboard In A Micro Package” →

Eric Weinhoffer Covers Enclosure Design And Manufacturing Tech During Hackaday Prize Mentor Session

August 9, 2019 by Lewin Day 1 Comment

Eric Weinhoffer has had plenty of experience in the product design arena, and this hard-earned knowledge is readily apparent in his mentor session for The Hackaday Prize. These serve to link up Prize entrants with industry experts in order to help them take their projects into production. You still have time to get in on the 2019 Hackaday Prize which is accepting entries until August 25th.

Eric’s work as a Prototype Engineer at Bolt stands him in good stead to deliver valuable advice on manufacturing techniques and prototyping. With projects as diverse as CNC milling machiness and ISS payloads under his belt, Eric was able to help out these entrants with a series of tricky problems that will be familiar to anyone who has tried to take a project out of the lab and into the market.

Let’s take a look at the projects and the advice that were shared during this session.

Continue reading “Eric Weinhoffer Covers Enclosure Design And Manufacturing Tech During Hackaday Prize Mentor Session” →

Hackaday Podcast 030: Seven Years Of RTL-SDR, 3D Printing Optimized For The Eye, Sega Audiophile, Swimming In Brighteners

August 9, 2019 by Mike Szczys 3 Comments

Hackaday Editors Mike Szczys and Elliot Williams curate the awesome hacks from the past week. On this episode, we marvel about the legacy RTL-SDR has had on the software-defined radio scene, turn a critical ear to 16-bit console audio hardware, watch generative algorithms make 3D prints beautiful, and discover why printer paper is so very, very bright white.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Continue reading “Hackaday Podcast 030: Seven Years Of RTL-SDR, 3D Printing Optimized For The Eye, Sega Audiophile, Swimming In Brighteners” →

Laser Trip Wire Hides What You’re (Not) Working On

August 9, 2019 by Tom Nardi 15 Comments

We assume your office policy allows for reading Hackaday during work hours. But what about cruising reddit, or playing Universal Paperclips? There’s a special kind of stress experienced when attempting to keep one eye on your display and the other on the doorway; all the while convinced the boss is about to waltz into the room and be utterly disappointed in you.

But fear not, for [dekuNukem] has found the solution with Daytripper. This wireless laser tripwire communicates back to your computer using NRF24 (2.4 Ghz on the ISM band) and can be used to invisibly cordon off a door or hallway and fire a scripted action on your computer if its beam has been broken. Nominally this is used to send the keyboard command that hides all open windows, but we’re sure the imaginative readers of Hackaday could come up with all sorts of alternate uses for this capability.

The Daytripper transmitter uses a laser time-of-flight sensor, in this case the very small VL53L0X by STMicroelectronics. It’s best situated so the laser will be bounced straight back at it. It has a range of about four feet, which is perfect for covering a door, though a wide hallway could give it some trouble. [dekuNukem] admits that the 5 Hz scan rate means a sufficiently fast moving adversary might slip past the sensor, but if they’re trying that hard to see what’s on your monitor, they probably deserve a peek.

On the receiver side, there’s a small board that plugs into your computer and mimics a USB keyboard. It has a selector switch on the side that allows the user to set what key sequence will be “typed” once the system has been tripped. It has built-in support for minimizing all windows or locking the computer, or you can set it to send ALT + Pause, which you can listen for and act on however you see fit.

If you want to build your own Daytripper, the firmware and hardware are both available on GitHub under an MIT license. For those who prefer instant gratification, [dekuNukem] is doing a small production run and offering them up on Tindie.

This Week In Security: SWAPGS, Malicious Shaders, More IOS Woes, And WPA3

August 9, 2019 by Jonathan Bennett 19 Comments

I’m sure you’ve heard of Spectre, which was the first of many speculative execution vulnerabilities found in modern processors. A new one just popped up this week. At Blackhat on Tuesday, CVE-2019-1125 was announced by Bitdefender as SWAPGS.

SWAPGS is an x86_64 instruction that is intended for use in context switching, that is when execution is transferred from a user-space program back into the kernel. Specifically, SWAPGS swaps the value of the GS register so that it refers to either a memory location in the running application, or a location in the kernel’s space. An unprivileged program can attempt to call this instruction and leak kernel memory contents as a result of the processor speculatively executing the instruction (this is similar to Spectre). Even though the instruction will ultimately not be executed, because a userspace program doesn’t have sufficient privilege to do so, the contents of the system cache have already been sufficiently altered, and an attack could feasibly leverage this to read arbitrary kernel memory.

While the initial reports have mentioned both AMD and Intel products, AMD has released a statement:

AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1.

Patches for Windows and Linux have been released, and Red Hat has an informative write-up on the vulnerability. I would have reviewed Bitdefender’s whitepaper on the vulnerability, but rather than make it freely available, they have opted to require a name and email address. While I would like to see their work, I refuse to sell my contact information in exchange for access.

A Malicious Shader?

This is the first time I can remember hearing of a malicious pixel shader. Cisco Talos announced a set of vulnerabilities targeting VMware and NVIDIA graphics drivers.

Shaders are specialized programs that run on a video card, and are generally used to apply effects like blur, lighting, bump mapping, and more. Most of the graphical improvements in the last few years of gaming is a result of shaders.

Talos researchers were specifically looking at how to compromise a VM Hyper-visor from inside a guest OS, and they discovered that when a host provides 3d acceleration to the guest, shaders are passed directly through to the system drivers without verification. Because the NVIDIA drivers are also vulnerable, this could allow a malicious program on the host to run arbitrary code on the hypervisor.

While this is troubling enough, the topper is that a malicious shader could potentially be run via WebGL. Taken together, this represents a real danger where simply loading a malicious WebGL enabled page could compromise not only a conventional machine, but could also compromise the bare-metal OS even when run on a guest instance.

Both NVIDIA and VMware have already released driver updates that fixes the flaw, so go update!

iOS Problems

Natalie Silvanovich of Google’s Project Zero released a set of 5 iOS vulnerabilities on Wednesday the 7th. These are not garden variety bugs, but so-called “zero click” problems where no user interaction is required for exploit.

The first exploit, for example, is a spoofed visual voicemail message. Visual voicemail notifications are sent as specially formatted text messages and contain information about the message and the address of an IMAP server to connect to and download the message. That information can be spoofed, leading a device to try to download a message from an IMAP server in the control of an attacker. From that point, finding a bug in the iOS IMAP handling code was relatively easy.

5 vulnerabilities have been fixed in iOS updates. There is a 6th vulnerability, CVE-2019-8641, that has yet to be fixed. While a few hints about this problem are given, the details have been withheld until an update has been released to fully fix the problem. One could be a bit cynical and point out that it’s the Google research team announcing these flaws. While there is certainly a self-serving angle to consider, it’s much better for iOS and consumers if flaws are fixed and publicized, rather than kept secret and sold to an offensive security vendor.

One more iOS story is Apple Bleee. Bluetooth Low Energy is an extremely useful communication protocol, allowing Apple devices to perform many of their seemingly magic functionality. The downside is that to make the magic happen, iOS devices are constantly sending BLE signals, probing for other devices. The researchers at Hexway realized that these signals leak lots of data about your device, potentially including your phone number.

iOS uses a SHA256 hash of the device’s phone number as an identifier when using AirDrop. A SHA256 is still a reasonably secure one-way hash, so there’s no problem, right? The clever realization is that while the hash is secure, and the output space is too large to attack, the input space is small enough to be manageable. An attacker could target the most common area codes in their area, limiting the target space further. From there, the SHA256 hashes for all valid numbers can be pre-calculated and stored in a lookup table.