Feeding Chickens, With Style

August 23, 2019 by 8 Comments

Ah, the joys of domestic animals. Often adorable, occasionally useful, they’re universally unable to care for themselves in the slightest. That’s part of the bargain though; we take over responsibility for their upkeep and they repay us with whatever it is they do best. Unless the animal in question is a cat, of course – they have their own terms and conditions.

Chickens, though, are very useful indeed. Give them food and water and they give you delicious, nutritious, high-quality protein. Feeding them every day can be a chore, though, unless you automate the task. This Twitch-enabled robotic chicken feeder may be overkill for that simple use case, but as [Sean Hodgins] tell it, there’s a method to all the hardware he threw at this build. That would include a custom-welded steel frame holding a solar panel and batteries, a huge LED matrix display, a Raspberry Pi and camera, and of course, food dispensers. Those are of the kind once used to dispense candy or gum for a coin or two in the grocery; retooled with 3D-printed parts, the dispensers now eject a small scoop of feed whenever someone watching a Twitch stream decides to donate to the farm that’s hosting the system. You can see the build below in detail, or just pop over to Sweet Farm to check out the live feed and gawk at some chickens.

It’s an impressive bit of work on [Sean]’s part for sure, and we did notice how he used his HCC rapid prototyping module to speed up development. Still, we’re not convinced there will be many donations at $10 a pop. Then again, dropping donations to the micropayment level may lead to overfed chickens, and that’s not a good thing.

Continue reading “Feeding Chickens, With Style”

Be Better Bracelet Breaks Bad Habits, Fosters Favorable Fixations

August 23, 2019 by 15 Comments

Do you want to be a better person? Maybe you want to curse less, drink more water, or post fewer inflammatory comments on the internet. You could go the old school route by wearing a rubber band around your wrist and snapping it every time you slip, or literally pat yourself on the back when you do the right thing. While these types of reinforcement methods may deter bad behavior and encourage good, they are quite lean on data. And who wants that?

After an unpleasant conference call, [Darian] cursed a blue streak that left his coworkers shocked and speechless. This inciting incident began the hero’s journey that will end with a kinder, gentler [Darian], as long as he has his trusty Be Better Bracelet. He tried involving Alexa when at home, and various apps elsewhere to track these venomous utterances, but he yearned for a single solution that’s always available.

The sole purpose of this bracelet is low-cost, unobtrusive habit tracking. Though tied to a phone, it won’t tell time, predict the weather, or alert the user to incoming what-have-yous. It will simply record button presses, which are assigned meaning in the app settings. It’s up to the user to set goals, analyze the data, and reward or punish themselves accordingly.

[Darian] is still working out the design kinks to make this as small and cheap as possible. If you have suggestions, let him know.

The HackadayPrize2019 is Sponsored by:

Airport Runways And Hashtags — How To Become A Social Engineer

August 23, 2019 by 11 Comments

Of the $11.7 million companies lose to cyber attacks each year, an estimated 90% begin with a phone call or a chat with support, showing that the human factor is clearly an important facet of security and that security training is seriously lacking in most companies. Between open-source intelligence (OSINT) — the data the leaks out to public sources just waiting to be collected — and social engineering — manipulating people into telling you what you want to know — there’s much about information security that nothing to do with a strong login credentials or VPNs.

There’s great training available if you know where to look. The first time I heard about WISP (Women in Security and Privacy) was last June on Twitter when they announced their first-ever DEFCON Scholarship. As one of 57 lucky participants, I had the chance to attend my first DEFCON and Black Hat, and learn about their organization.

Apart from awarding scholarships to security conferences, WISP also runs regional workshops in lockpicking, security research, cryptography, and other security-related topics. They recently hosted an OSINT and Social Engineering talk in San Francisco, where Rachel Tobac (three-time DEFCON Social Engineering CTF winner and WISP Board Member) spoke about Robert Cialdini’s principles of persuasion and their relevance in social engineering.

Cialdini is a psychologist known for his writings on how persuasion works — one of the core skills of social engineering. It is important to note that while Cialdini’s principles are being applied in the context of social engineering, they are also useful for other means of persuasion, such as bartering for a better price at an open market or convincing a child to finish their vegetables. It is recommended that they are used for legal purposes and that they result in positive consequences for targets. Let’s work through the major points from Tobac’s talk and see if we can learn a little bit about this craft.

Continue reading “Airport Runways And Hashtags — How To Become A Social Engineer”

Hackaday Podcast 032: Meteorite Snow Globes, Radioactive Ramjet Rockets, Autonomous Water Boxes, And Ball Reversers

August 23, 2019 by No comments

Hackaday Editors Mike Szczys and Elliot Williams recorded this week’s podcast live from Chaos Communication Camp, discussing the most interesting hacks on offer over the past week. I novel locomotion news, there’s a quadcopter built around the coanda effect and an autonomous boat built into a plastic storage bin. The radiation spikes in Russia point to a nuclear-powered ramjet but the idea is far from new. Stardust (well… space rock dust) is falling from the sky and it’s surprisingly easy to collect. And 3D-printed gear boxes and hobby brushless DC motors have reached the critical threshold necessary to mangle 20/20 aluminum extrusion.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 032: Meteorite Snow Globes, Radioactive Ramjet Rockets, Autonomous Water Boxes, And Ball Reversers”

OTA Flash Tool Makes Fitness Tracker Hacking More Accessible

August 23, 2019 by 25 Comments

Over the last several months, [Aaron Christophel] has been working on creating a custom firmware for cheap fitness trackers. His current target is the “D6 Tracker” from a company called MPOW, which can be had for as little as $7 USD. The ultimate goal is to make it so anyone will be able to write their own custom firmware for this gadget using the Arduino IDE, and with the release of his new Android application that allows wirelessly flashing the device’s firmware, it seems like he’s very close to realizing that dream.

Previously, [Aaron] had to crack open the trackers and physically connect a programmer to update the firmware on the NRF52832-based devices. That might not be a big deal for the accomplished hardware hacker, but it’s a bit of a hard sell for somebody who just wants to see their own Arduino code running on it. But with this new tool, he’s made it so you can easily switch back and forth between custom and original firmware on the D6 without even having to take it off your wrist.

After the break, you can see the video that [Aaron] has put together which talks about the process of flashing a new firmware image. It’s all very straightforward: you simply pick the device from the list of detected BLE devices, the application puts the tracker into bootloader mode, and then you select the DFU file you want to flash.

There are a couple of ready-made firmwares you can put on the D6 right now, but where’s the fun in that? [Aaron] has put together a customized version of the Arduino IDE that provides everything you need to start writing and flashing your own firmware. If you’ve ever dreamed about creating a wearable device that works exactly the way you want, it’s hard to imagine a cheaper or easier way to get in on the action.

When we last heard from [Aaron] earlier this year, he was working on the IWOWN I6HRC tracker. But it looks like the availability of those devices has since dried up. So if you’re going to try your hand at hacking the MPOW D6, it might be wise to buy a few now while they’re still cheap and easy to find.

Continue reading “OTA Flash Tool Makes Fitness Tracker Hacking More Accessible”

This Week In Security: KNOB, Old Scams Are New Again, 0-days, Backdoors, And More

August 23, 2019 by 12 Comments

Bluetooth is a great protocol. You can listen to music, transfer files, get on the internet, and more. A side effect of those many uses is that the specification is complicated and intended to cover many use cases. A team of researchers took a look at the Bluetooth specification, and discovered a problem they call the KNOB attack, Key Negotiation Of Bluetooth.

This is actually one of the simpler vulnerabilities to understand. Randomly generated keys are only as good as the entropy that goes into the key generation. The Bluetooth specification allows negotiating how many bytes of entropy is used in generating the shared session key. By necessity, this negotiation happens before the communication is encrypted. The real weakness here is that the specification lists a minimum entropy of 1 byte. This means 256 possible initial states, far within the realm of brute-forcing in real time.

The attack, then, is to essentially man-in-the-middle the beginning of a Bluetooth connection, and force that entropy length to a single byte. That’s essentially it. From there, a bit of brute forcing results in the Bluetooth session key, giving the attacker complete access to the encrypted stream.

One last note, this isn’t an implementation vulnerability, it’s a specification vulnerability. If your device properly implements the Bluetooth protocol, it’s vulnerable.

CenturyLink Unlinked

You may not be familiar with CenturyLink, but it maintains one of the backbone fiber networks serving telephone and internet connectivity. On December 2018, CenturyLink had a large outage affecting its fiber network, most notable disrupting 911 services for many across the United States for 37 hours. The incident report was released on Monday, and it’s… interesting.
Continue reading “This Week In Security: KNOB, Old Scams Are New Again, 0-days, Backdoors, And More”

Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised

August 23, 2019 by 84 Comments

It seems a bit unfair to pile on a product that has already been roundly criticized for its security vulnerabilities. But when that product is a device that is ostensibly deployed to keep one’s family and belongings safe, it’s plenty fair. And when that device is an alarm system that can be defeated by a two-dollar wireless remote, it’s practically a responsibility.

The item in question is the SimpliSafe alarm system, a fully wireless, install-it-yourself system available online and from various big-box retailers. We’ve covered the system’s deeply flawed security model before, whereby SDRs can be used to execute a low-effort replay attack. As simple as that exploit is, it looks positively elegant next to [LockPickingLawyer]’s brute-force attack, which uses a $2 RF remote as a jammer for the 433-MHz wireless signal between sensors and the base unit.

With the remote in close proximity to the system, he demonstrates how easy it would be to open a door or window and enter a property guarded by SimpliSafe without leaving a trace. Yes, a little remote probably won’t jam the system from a distance, but a cheap programmable dual-band transceiver like those offered by Baofeng would certainly do the trick. Not being a licensed amateur operator, [LockPickingLawyer] didn’t test this, but we doubt thieves would have the respect for the law that an officer of the court does.

The bottom line with alarm systems is that you get what you pay for, or sadly, significantly less. Hats off to [LockPickingLawyer] for demonstrating this vulnerability, and for his many other lockpicking videos, which are well worth watching.

Continue reading “Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised”