This Week In Security: ACME.sh, Leaking LEDs, And Android Apps

June 16, 2023 by 3 Comments

Let’s Encrypt has made an enormous difference to the landscape of the web. The protocol used for authenticating and receiving certificates, ACME, has spawned quite a few clients of various flavors. Some are written in Rust, some in Python or Go, and a few in straight Bash shell script. One of those last ones, acme.sh, was doing something odd when talking to a particular “Certificate Authority”, HiCA. This pseudo-CA only supports acme.sh, and now we know why. The folks behind HiCA found an RCE exploit in acme.sh, and decided to use that exploit to do certificate issuance with more “flexability”. Oof.

The nuts and bolts here is that HiCA was working as a CA-in-the-Middle, wrapping other CA’s authentication services. Those services don’t support ACME authentication at all, and HiCA used the acme.sh vulnerability to put the authentication token in the place SSL.com expected to find it. So, just a good community member offering a service that ACME doesn’t quite support, right?

Well, maybe not so innocent. The way it appears this works, is that the end user sends a certificate request to HiCA. HiCA takes that information, and initiates a certificate request off to SSL.com. SSL.com sends back a challenge, and HiCA embeds that challenge in the RCE and sends it to the end user. The end user’s machine triggers the RCE, which pushes the challenge token to the well-known location, and bypasses the ACME protection against exactly this sort of CA-in-the-middle situation.

The last piece of the authentication process is that the signing server reaches out over HTTP to the domain being signed, and looks for the token to be there. Once found, it sends the signed certificates to HiCA, who then forward them on to the end user. And that’s the problem. HiCA has access to the key of every SSL cert they handled. This doesn’t allow encryption, but these keys could be used to impersonate or even launch MitM attacks against those domains. There’s no evidence that HiCA was actually capturing or using those keys, but this company was abusing an RCE to put itself in the position to have that ability.

The takeaway is twofold. First, as an end user, only use reputable CAs. And second, ACME clients need to be hardened against potentially malicious CAs. The fact that HiCA only supported the one ACME client was what led to this discovery, and should have been a warning flag to anyone using the service. Continue reading “This Week In Security: ACME.sh, Leaking LEDs, And Android Apps”

The Fake Moon Landing Quarantine

June 15, 2023 by 43 Comments

We aren’t much into theories denying the moon landing around here, but [Dagomar Degroot], an associate professor at Georgetown University, asserts that the Apollo 11 quarantine efforts were bogus. Realistically, we think today that the chance of infection from the moon, of all places, is low. So claiming it was successful is like paying for a service that prevents elephants from falling through your chimney. Sure, it worked — there hasn’t been a single elephant!

According to [Degroot], the priority was to protect the astronauts and the mission, and most of the engineering money and effort went towards that risk reduction. The — admittedly low — danger of some alien plague wiping out life on Earth wasn’t given the same priority.

Continue reading “The Fake Moon Landing Quarantine”

A Nintendo 64 controller with a USB adapter

Play N64 Games The Right Way With This Classic Controller Adapter

June 10, 2023 by 11 Comments

Game consoles typically support a limited number of input devices, meaning that console games are often completely optimized for the default controller supplied with that platform. Nintendo’s tendency to completely reinvent their controllers pretty much every generation can therefore become a little irritating, especially when they also enable their newer consoles to play games from their back catalog. So when [Robson Couto] found that using the Switch’s Joy-Cons was a bit awkward for playing emulated Nintendo 64 games, he decided to figure out how to connect real N64 controllers to a Nintendo Switch.

While you can buy modern N64-style controllers for the Switch, even straight from Nintendo themselves, [Robson] thought it would be way more interesting to reuse an old controller and implement the translation step from scratch. In the video (embedded below) he takes a deep dive into all the timing details of the N64 controller protocol, which is basically a 1-wire setup, and explains how to use an STM32F411 BlackPill board to read out the controller’s buttons and joystick.

Next, he explores how to map the resulting data to the USB HID protocol used by the Switch. Most of the buttons have a clear one-on-one mapping, but since the “minus”, “capture” and “home” buttons are missing on the N64 controller, he chose to map these to button combinations unlikely to be used during regular gameplay. [Robson] also ran into the common issue of the analog joystick having a poorly-defined maximum range, for which he added a rudimentary auto-calibration feature.

Finally, he designed and 3D-printed a neat enclosure for his system with an N64 controller port on one side and a USB port on the other. By 3D-printing the whole thing he also avoided having to either source the non-standard connector or permanently modify his hardware. The end result of [Robson]’s project is an unobtrusive gadget that connects classic controllers to modern hardware – but of course, the reverse process is very much possible, too. If you want, you can even play N64 games with a mouse and keyboard.

Continue reading “Play N64 Games The Right Way With This Classic Controller Adapter”

Transform An Original Xbox Controller To A 360 Controller

June 7, 2023 by 5 Comments

If you’re looking for a controller for your computer or mobile device, you could certainly do worse than one of the latest iterations of the Xbox pad. They might not be perfect, but they’re fairly well-made, not particularly expensive, use standard USB and Bluetooth interfaces, and even have decent support in the open-source community. So if you’re gaming on Linux or working on any other kind of retro gaming rig it’ll likely be plug-and-play.

This wasn’t the case with the first generation Xbox controller, though, and although its proprietary connector was actually using USB, the controller scheme wasn’t as open. This is [Tom]’s effort of upcycling his original Xbox controller to work indistinguishably from a stock Xbox 360 controller.

For those asking why anyone would want to do this, [Tom] is actually one of the few who enjoyed the original bulky Xbox “Duke” controller that released with the console in 2001. It wasn’t a popular choice in the larger gaming community and a year later Microsoft released a smaller version, but we all have our quirks. A Teensy 4.1 is attached to the end of the controller cable and acts as an intermediary to intercept the proprietary signalling coming from this controller and convert it into something usable. Since the controller doesn’t even show up as a standard USB HID device it took a little more sniffing of the protocol to decipher what was going on at all, but eventually some help was found within this other driver that gave [Tom] the clues he needed to get it working.

There were some other headaches to this project as well, especially since USB debugging USB connections while using USB isn’t exactly a streamlined process, but after a couple of breakthroughs the Teensy pass-through interface began working and [Tom] can use his controller of choice across multiple platforms now. If you’re looking to upgrade in other ways take a look at this build which seeks to recalibrate, rather than replace, an older Xbox controller experiencing drift on its analog control sticks.

Continue reading “Transform An Original Xbox Controller To A 360 Controller”

Reverse Engineering A Better Night’s Sleep

June 6, 2023 by 8 Comments

All you want is a decent night’s sleep, so you decide to invest in one of those fancy adjustable beds. At first, it’s fine — being able to adjust the mattress to your needs on the fly is a joy, and yet…something isn’t quite right. Something nags at you every night, thwarting your slumber and turning your dreams of peaceful sleep into a nightmare once you realize your bed has locked you into a vertically integrated software ecosystem from which there’s no escape.

Or is there? That’s what [Chris Laplante] wanted to know, and why he reverse-engineered his Tempur-Pedic remote control. As many products these days do, his bed was touted as having an Android application for smartphone adjustability, but alas, the app hasn’t been updated since 2014 (!) and doesn’t appear to work on modern phones. [Chris] decided to take matters into his own hands and build a gateway to talk to the bed using its native RF protocol.

Most good reverse engineering stories start with research, and this one is no exception. Digging into the FCC database revealed a wealth of clues, such as the frequency — 433-MHz ISM band, no surprise — and even spectrum analyzer screenshots of the remote’s signals. A HackRF One revealed more about the signals, but it turned out that sniffing in on the SPI bus between the microcontroller and the Si4431 RF transceiver with a Salae logic analyzer was more fruitful, allowing him to dig into the packet structure.

The engineers at Tempur-Pedic threw quite a few challenges at [Chris], like an application-level CRC in addition to the CRC used by the Si4431, and interesting complications to control the massage features of the bed. In the end, [Chris] managed to get a pretty complete snapshot of the conversation between the bed and the remote, and is now in the process of building a gateway that’ll actually connect to his phone, plus integrate into his home automation system. We’re looking forward to updates on that.

Electronic Connect 4 Console Doesn’t Use LCD

May 28, 2023 by 9 Comments

You might think that making your own electronic games would require some kind of LCD, but lately, [Mirko Pavleski] has been making his using inexpensive 8X8 WS2812B LED panels. This lets even a modest microcontroller easily control a 64-pixel “screen.” In this case, [Mirko] uses an Arduino Nano, 3 switches, and a buzzer along with some 3D printed components to make a good-looking game. You can see it in action in the video below.

The WS2812B panels are easy to use since the devices have a simple protocol where you only talk to the first LED. You send pulses to determine each LED’s color. The first LED changes color and then starts repeating what you send to the next LED, which, of course, does the same thing. When you pause a bit, the array decides you are done, and the next train of pulses will start back at the first LED.

It looks like the project is based on a German project from [Bernd Albrecht], but our German isn’t up to snuff, and machine translation always leaves something to be desired. Another developer added a play against the computer mode. This is a simple program and would be easy to port to the microcontroller of your choice. [Mirko]’s execution of it looks like it could be a commercial product. If you made one as a gift, we bet no one would guess you built it yourself.

Of course, you could play a real robot. You could probably repurpose this hardware for many different games, too.

Continue reading “Electronic Connect 4 Console Doesn’t Use LCD”

Vehicle-to-Grid Made Easy

May 25, 2023 by 37 Comments

As electric cars continue to see increased adoption, one associated technology that was touted long ago that still hasn’t seen widespread adoption is vehicle-to-grid or vehicle-to-home. Since most cars are parked most of the time, this would allow the cars to perform load-levelling for the grid or even act as emergency generators on an individual basis when needed. While this hasn’t panned out for a variety of reasons, it is still possible to use an EV battery for use off-grid or as part of a grid tie solar system, and now you can do it without needing to disassemble the battery packs at all.

Normally when attempting to use a scrapped EV battery for another use, the cells would be removed from the OEM pack and reorganized to a specific voltage. This build, however, eliminates the need to modify the packs at all. A LilyGO ESP32 is used to convert the CAN bus messages from the battery pack to the Modbus communications protocol used by the inverters, in this case a Fronius Gen24, so the inverter and battery can coordinate energy delivery from one to the other automatically. With the hard part out of the way, the only other requirements are to connect a high voltage DC cable from the battery pack to the inverter.

[Dala], the creator of this project, has taken other steps to ensure safety as well that we’d recommend anyone attempting to recreate this build pays close attention to, as these battery packs contain an extremely large amount of energy. The system itself supports battery packs from Nissan Leafs as well as the Tesla Model 3, which can usually be found for comparably low prices. Building battery energy storage systems to make up for the lack of commercially-available vehicle-to-home systems isn’t the only use for an old EV battery, though. For example, it’s possible to use Leaf batteries to triple the range of other EVs like [Muxsan] did with this Nissan van.

Continue reading “Vehicle-to-Grid Made Easy”