What Happens When A Regular Person Finds A Huge Security Flaw?

January 29, 2019 by 38 Comments

The biggest news in the infosec world, besides the fact that balaclavas are becoming increasingly popular due to record-low temperatures across the United States, is that leet haxors can listen to you from your iPhone using FaceTime without you even answering the call. There are obvious security implications of this bug: phones should only turn on the microphone after you pick up a call. This effectively turns any iPhone running iOS 12.1 or later into a party line. In response Apple has taken group FaceTime offline in preparation of a software update later this week.

So, how does this FaceTime bug work? It’s actually surprisingly simple. First, start a FaceTime call with an iPhone contact. While the call is dialing, swipe up, and tap Add Person. Add your own phone number in the Add Person screen. This creates a group call with two instances of your iPhone, and the person you’re calling. You may now listen in to the audio of the person you originally called even though they haven’t chosen to pick up the call. Dumb? Yes. Insecure? Horribly. If your iPhone is ringing, the person on the other end could be listening in.

But this isn’t a story about how Apple failed yet again. This is a story about how this security flaw was found, and what a normal person can do if they ever find something like this.

Continue reading “What Happens When A Regular Person Finds A Huge Security Flaw?”

Plastics: PETG

January 29, 2019 by 30 Comments

You’d be hard-pressed to walk down nearly any aisle of a modern food store without coming across something made of plastic. From jars of peanut butter to bottles of soda, along with the trays that hold cookies firmly in place to prevent breakage or let a meal go directly from freezer to microwave, food is often in very close contact with a plastic that is specifically engineered for the job: polyethylene terephthalate, or PET.

For makers of non-food objects, PET and more importantly its derivative, PETG, also happen to have excellent properties that make them the superior choice for 3D-printing filament for some applications. Here’s a look at the chemistry of polyester resins, and how just one slight change can turn a synthetic fiber into a rather useful 3D-printing filament.

Continue reading “Plastics: PETG”

Interfacing The Sidewinder Joystick To AVRs

January 29, 2019 by 27 Comments

The Sidewinder line was a series of gaming peripherals produced by Microsoft, starting in the 1990s. After some initial stumbles, several cutting edge joysticks were released, at a time when the home computer market was in a state of flux, transitioning from legacy interfaces like serial and parallel to the more modern USB. In this interim period, Sidewinder joysticks used a special method to communicate digitally over the game port interface, which more typically used a kludge to read joysticks in an analog manner. [MaZderMind] managed to reverse engineer this protocol, and implemented the interface on an AVR microcontroller.

The technology is loosely described in US Patent 5628686, which discusses the method used to communicate bidirectionally with the Sidewinder joystick. [MaZderMind] found that the patent documents didn’t correspond exactly with how the Sidewinder Precision Pro communicated, but it was close enough that the operation could be reverse engineered.

The plan is to use the vintage joystick to control a quadcopter, so the interface was implemented on an AVR, and a graphical LCD installed to act as a display for testing the operation. [MaZderMind] also captured data on an oscilloscope to indicate in detail the quirks of the joystick’s operation.

Yes, it’s entirely possible to use a more modern microcontroller with a USB joystick. However, there are few that measure up to the standards of the old Sidewinder hardware, and sometimes the best tool for the job is the one you’ve got with you. A traditional single joystick is a different take on quadcopter control, but there’s other options – gesture control is possible, too.

 

Now That’s What I Call Crypto: 10 Years Of The Best Of Bitcoin

January 29, 2019 by 18 Comments

On January 3rd, 2009, the Genesis Block was created. This was the first entry on the Bitcoin blockchain. Because of the nature of Bitcoin, all transactions lead back to this block. This is where Bitcoin began, almost exactly ten years ago.

The Genesis Block was created by Satoshi, a person or persons we know nothing about. In the decade since, we’ve seen the astonishing rise and meteoric descent of Bitcoin, and then it happened again after the bubble was re-inflated.

Due to the nature of Bitcoins, blockchains, and ledgers, the entire history of Bitcoin has been recorded. Every coin spent and every satoshi scrupled has been recorded for all to see. It’s time for a retrospective, and not just because I wanted to see some art based on the covers of Now That’s What I Call Music albums. No, ten years is a lot of stories to tell.

Continue reading “Now That’s What I Call Crypto: 10 Years Of The Best Of Bitcoin”

Under The Hood Of Leica Camera Firmware

January 29, 2019 by 11 Comments

There’s nothing quite like waiting for something you’ve ordered online to arrive. In [Alex]’s case, he’d ordered a new Leica camera, only to find out there was a six month backlog in shipping. Wanting to whet his thirst regardless, he decided to investigate the Leica website, and reverse engineered a whole heap of camera firmware. As you do.

[Alex] didn’t stop at just one camera, instead spreading his interest across whatever firmware Leica happened to have online at the time. This approach led to improved effectiveness, as there were similarities in the firmware used between different cameras that made it easier to understand what was going on.

There are plenty of surprise quirks – from firmwares using the Doom WAD data format, to compression methods used by iD software in old game releases. [Alex]’s work runs the gamut from plotting out GUI icons on graph paper, to building custom tools to tease apart the operation of the code. Sample components were even sourced from connector manufacturers to reverse engineer various accessories, too.

[Alex]’s methodical approach and perseverance pays off, and it’s always interesting to get a look under the hood of the software underpinning consumer devices. We’ve even seen similar work done to decode the mysteries of Pokemon cries.

[Thanks to JRD for the tip!]

 

Adventures In Power Outage Hacking

January 29, 2019 by 33 Comments

The best type of power outage is no power outage, but they will inevitably happen. When they do, a hacker with a house full of stuff and a head full of ideas is often the person of the hour. Or the day, or perhaps the week, should the outage last long past the fun little adventure phase and become a nuisance or even an outright emergency.

Such was the position that [FFcossag] found himself in at the beginning of January, when a freak storm knocked out power to his community on a remote island in the middle of the Baltic Sea. [FFcossag] documented his attempts to survive the eight-day outage in vlog form, and although each entry is fairly long, there’s a lot to be learned from his ordeal. His main asset was a wood cook stove in the basement of the house, which served as his heat source. He used a car radiator and a small water pump to get some heat upstairs – a battery bank provided the power for that, at least for a while. The system evolved over the outage and became surprisingly good at keeping the upstairs warm.

The power eventually came back on, but to add insult to injury, almost as soon as it did, the ground-source heat pump in the house went on the fritz. A little sleuthing revealed an open power resistor in the heat pump control panel, but without a replacement on hand, [FFcossag] improvised. Parts from a 30-year-old TV transmitter were close at hand, including a nice handful of power resistors. A small parallel network gave the correct value and the heat pump came back online.

All in all, it was a long, cold week for [FFcossag], but he probably fared better than his neighbors. Want to be as prepared for your next outage? Check out [Jenny]’s comprehensive guide.

Continue reading “Adventures In Power Outage Hacking”

Tiny Cheap ARM Boards Get WiFi

January 28, 2019 by 35 Comments

Over the last few years, we’ve seen the value of putting tiny WIFi-enabled microcontrollers on a module that costs a dollar or two. Those smart light bulbs in your house probably have an ESP8266 in them, and you can build a WiFi-enabled anything with one of these chips for next to no money. Now there’s a new module that takes the design philosophy of, ‘a reasonably powerful microcontroller, on a module, that does WiFi’ to its logical conclusion. It’s the W600 module from Seeed Studios. It’s got an ARM Cortex-M3, it’s FCC and CE certified, it’s got WiFi, and it’s cheap. This is what the people want, so somebody’s got to give it to them.

This product seems to be the followup and/or refinement of the Air602 WiFi Development board released by Seeed late last year. While the module itself grew a few more castellated pins and an RF can, the other specs look to be the same. Compared to the ESP-8266, which this module is obviously competing against, the Air600 is more than capable of pulling its own weight with five GPIO pins that do PWM, a decent amount of Flash, and all the WiFi support you could want.

The W600 is part of an entire family of boards, with the module itself readily available, but there’s also a few breakout boards that add connections for power and serial, a bigger breakout board that’s trying really hard to forget the pin misalignment of the Arduino Uno, and since this is Seeed, a board that connects to everything via Grove connectors. What’s a Grove connector? It’s power, ground, and either I2C or serial over a connector I couldn’t buy the last time I checked.

The W600 and its family of boards will be shipping shortly — China is shutting down for two weeks soon, after all — and there are plans for support for the Arduino IDE, Micropython, and an SDK for the tool chain of your choice.

Is the ESP8266 still the go-to for putting WiFi? Probably. But here’s some more competition.