Don’t Toss That Bulb, It Knows Your Password

January 29, 2019 by 70 Comments

Whether it was here on Hackaday or elsewhere on the Internet, you’ve surely heard more than a few cautionary tales about the “Internet of Things” by now. As it turns out, giving every gadget you own access to your personal information and Internet connection can lead to unintended consequences. Who knew, right? But if you need yet another example of why trusting your home appliances with your secrets is potentially a bad idea, [Limited Results] is here to make sure you spend the next few hours doubting your recent tech purchases.

In a series of posts on the [Limited Results] blog, low-cost “smart” bulbs are cracked open and investigated to see what kind of knowledge they’ve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.

Regardless of the manufacturer of the bulb, the process to get one of these devices on your network is more or less the same. An application on your smartphone connects to the bulb and provides it with the network SSID and encryption key. The bulb then disconnects from the phone and reconnects to your home network with the new information. It’s a process that at this point we’re all probably familiar with, and there’s nothing inherently wrong with it.

The trouble comes when the bulb needs to store the connection information it was provided. Rather than obfuscating it in some way, the SSID and encryption key are simply stored in plain-text on the bulb’s WiFi module. Recovering that information is just a process of finding the correct traces on the bulb’s PCB (often there are test points which make this very easy), and dumping the chip’s contents to the computer for analysis.

It’s not uncommon for smart bulbs like these to use the ESP8266 or ESP32, and [Limited Results] found that to be the case here. With the wealth of information and software available for these very popular WiFi modules, dumping the firmware binary was no problem. Once the binary was in hand, a little snooping around with a hex editor was all it took to identify the network login information. The firmware dumps also contained information such as the unique hardware IDs used by the “cloud” platforms the bulbs connect to, and in at least one case, the root certificate and RSA private key were found.

On the plus side, being able to buy cheap smart devices that are running easily hackable modules like the ESP makes it easier for us to create custom firmware for them. Hopefully the community can come up with slightly less suspect software, but really just keeping the things from connecting to anything outside the local network would be a step in the right direction.

(Some days later…)

[Limited Results] had hinted to us that he had previously disclosed some vulnerabilities to the bulb’s maker, but that until they fixed them, he didn’t want to make them public. They’re fixed now, and it appears that the bulbs were sending everything over the network unencrypted — your data, OTA firmware upgrades, everything.  They’re using TLS now, so good job [Limited Results]! If you’re running an old version of their lightbulbs, you might have a look.

On WiFi credentials, we were told: “In the case where sensitive information in the flash memory wasn’t encrypted, the new version will include encrypted storage processing, and the customer will be able to select this version of the security chips, which can effectively avoid future security problems.” Argue about what that actually means in the comments.

Follow The Bouncing Needles Of This Analog Meter Clock

January 29, 2019 by 12 Comments

Our community never seems to tire of clock builds. There are seemingly infinite ways to mark the passage of time, and finding unique ways to display it is endlessly fascinating.

There’s something about this analog voltmeter clock that really seems to have caught on with the Redditors who commented on the r/DIY thread where we first spotted this. [ElegantAlchemist]’s design is very simple – just a trio of moving coil meters with nice industrial-looking bezels. The meters were wired for 300 volts AC, so the rectifier and smoothing cap were removed and the series resistance was substituted for one more appropriate for the 0-5VDC range needed for the project. New dial faces showing hours, minutes and seconds were whipped up in Corel Draw, and everything was put into a sturdy and colorful aluminum “stomp box” normally used for effects pedals. An Arduino Nano and an RTC drive the meters with a nice, bouncy action. Simple, cheap to build, and a real crowd pleaser.

The observant reader will note a similarity to a clock we covered a while back. That one chose 3D-printed cases for an airplane instrument cluster look. We like the spare case design in [ElegantAlchemist]’s build, but wonder how this clock would look in a fine wood case.

What Happens When A Regular Person Finds A Huge Security Flaw?

January 29, 2019 by 38 Comments

The biggest news in the infosec world, besides the fact that balaclavas are becoming increasingly popular due to record-low temperatures across the United States, is that leet haxors can listen to you from your iPhone using FaceTime without you even answering the call. There are obvious security implications of this bug: phones should only turn on the microphone after you pick up a call. This effectively turns any iPhone running iOS 12.1 or later into a party line. In response Apple has taken group FaceTime offline in preparation of a software update later this week.

So, how does this FaceTime bug work? It’s actually surprisingly simple. First, start a FaceTime call with an iPhone contact. While the call is dialing, swipe up, and tap Add Person. Add your own phone number in the Add Person screen. This creates a group call with two instances of your iPhone, and the person you’re calling. You may now listen in to the audio of the person you originally called even though they haven’t chosen to pick up the call. Dumb? Yes. Insecure? Horribly. If your iPhone is ringing, the person on the other end could be listening in.

But this isn’t a story about how Apple failed yet again. This is a story about how this security flaw was found, and what a normal person can do if they ever find something like this.

Continue reading “What Happens When A Regular Person Finds A Huge Security Flaw?”

Plastics: PETG

January 29, 2019 by 30 Comments

You’d be hard-pressed to walk down nearly any aisle of a modern food store without coming across something made of plastic. From jars of peanut butter to bottles of soda, along with the trays that hold cookies firmly in place to prevent breakage or let a meal go directly from freezer to microwave, food is often in very close contact with a plastic that is specifically engineered for the job: polyethylene terephthalate, or PET.

For makers of non-food objects, PET and more importantly its derivative, PETG, also happen to have excellent properties that make them the superior choice for 3D-printing filament for some applications. Here’s a look at the chemistry of polyester resins, and how just one slight change can turn a synthetic fiber into a rather useful 3D-printing filament.

Continue reading “Plastics: PETG”

Interfacing The Sidewinder Joystick To AVRs

January 29, 2019 by 27 Comments

The Sidewinder line was a series of gaming peripherals produced by Microsoft, starting in the 1990s. After some initial stumbles, several cutting edge joysticks were released, at a time when the home computer market was in a state of flux, transitioning from legacy interfaces like serial and parallel to the more modern USB. In this interim period, Sidewinder joysticks used a special method to communicate digitally over the game port interface, which more typically used a kludge to read joysticks in an analog manner. [MaZderMind] managed to reverse engineer this protocol, and implemented the interface on an AVR microcontroller.

The technology is loosely described in US Patent 5628686, which discusses the method used to communicate bidirectionally with the Sidewinder joystick. [MaZderMind] found that the patent documents didn’t correspond exactly with how the Sidewinder Precision Pro communicated, but it was close enough that the operation could be reverse engineered.

The plan is to use the vintage joystick to control a quadcopter, so the interface was implemented on an AVR, and a graphical LCD installed to act as a display for testing the operation. [MaZderMind] also captured data on an oscilloscope to indicate in detail the quirks of the joystick’s operation.

Yes, it’s entirely possible to use a more modern microcontroller with a USB joystick. However, there are few that measure up to the standards of the old Sidewinder hardware, and sometimes the best tool for the job is the one you’ve got with you. A traditional single joystick is a different take on quadcopter control, but there’s other options – gesture control is possible, too.

 

Now That’s What I Call Crypto: 10 Years Of The Best Of Bitcoin

January 29, 2019 by 18 Comments

On January 3rd, 2009, the Genesis Block was created. This was the first entry on the Bitcoin blockchain. Because of the nature of Bitcoin, all transactions lead back to this block. This is where Bitcoin began, almost exactly ten years ago.

The Genesis Block was created by Satoshi, a person or persons we know nothing about. In the decade since, we’ve seen the astonishing rise and meteoric descent of Bitcoin, and then it happened again after the bubble was re-inflated.

Due to the nature of Bitcoins, blockchains, and ledgers, the entire history of Bitcoin has been recorded. Every coin spent and every satoshi scrupled has been recorded for all to see. It’s time for a retrospective, and not just because I wanted to see some art based on the covers of Now That’s What I Call Music albums. No, ten years is a lot of stories to tell.

Continue reading “Now That’s What I Call Crypto: 10 Years Of The Best Of Bitcoin”

Under The Hood Of Leica Camera Firmware

January 29, 2019 by 11 Comments

There’s nothing quite like waiting for something you’ve ordered online to arrive. In [Alex]’s case, he’d ordered a new Leica camera, only to find out there was a six month backlog in shipping. Wanting to whet his thirst regardless, he decided to investigate the Leica website, and reverse engineered a whole heap of camera firmware. As you do.

[Alex] didn’t stop at just one camera, instead spreading his interest across whatever firmware Leica happened to have online at the time. This approach led to improved effectiveness, as there were similarities in the firmware used between different cameras that made it easier to understand what was going on.

There are plenty of surprise quirks – from firmwares using the Doom WAD data format, to compression methods used by iD software in old game releases. [Alex]’s work runs the gamut from plotting out GUI icons on graph paper, to building custom tools to tease apart the operation of the code. Sample components were even sourced from connector manufacturers to reverse engineer various accessories, too.

[Alex]’s methodical approach and perseverance pays off, and it’s always interesting to get a look under the hood of the software underpinning consumer devices. We’ve even seen similar work done to decode the mysteries of Pokemon cries.

[Thanks to JRD for the tip!]