Keyless entry has become a standard feature on virtually all cars, where once it was a luxury option. However, it’s also changed the way that thieves approach the process of breaking into a car. After recent research, [HackingIntoYourHeart] claims that many modern Honda and Acura vehicles can be accessed with a simple replay attack using cheap hardware.
It’s a bold claim, and one that we’d love to see confirmed by a third party. The crux of the allegations are that simply recording signals from a Honda or Acura keyfob is enough to compromise the vehicle. Reportedly, no rolling code system is implemented and commands can easily be replayed.
Given these commands control features like unlocking the doors, opening the trunk, and even remote starting the vehicle, it’s a concerning situation. However, it’s also somewhat surprising. Rolling code technology has been around for decades, and makes basic replay attacks more difficult. Range extender attacks that target keyfobs sitting inside homes or gas stations are more common these days.
Whether Honda has made a security faux pas, or if there’s something more at play here, remains to be seen. If you’ve got more information, or have been able to recreate the same hack on your own Honda, be sure to let us know.
We always knew that McDonald’s soft serve (you can’t really call it ice cream) machines are known to be finicky. There’s even a website that tracks where the machines are broken and, apparently, it is usually about 10% or more of them at any given time. But when we saw a news article about a judge issuing a restraining order, we knew there must be more to the story. Turns out, these $18,000 soft serve machines are in the heart of something we are very interested in: when do you own your own technology?
Cold Tech
There are apparently 13,000 or so of these machines and they are supposedly high-tech marvels, able to produce soft serve and milkshakes at the same time. However, they are also high maintenance. Cleaning the machine every two weeks (try not to think about that) involves a complete teardown. Worse, if anything breaks, you need a factory-authorized service person.
For readers that might not spend their free time watching spools of PLA slowly unwind, The Spaghetti Detective (TSD) is an open source project that aims to use computer vision and machine learning to identify when a 3D print has failed and resulted in a pile of plastic “spaghetti” on the build plate. Once users have installed the OctoPrint plugin, they need to point it to either a self-hosted server that’s running on a relatively powerful machine, or TSD’s paid cloud service that handles all the AI heavy lifting for a monthly fee.
Unfortunately, 73 of those cloud customers ended up getting a bit more than they bargained for when a configuration flub allowed strangers to take control of their printers. In a frank blog post, TSD founder Kenneth Jiang owns up to the August 19th mistake and explains exactly what happened, who was impacted, and how changes to the server-side code should prevent similar issues going forward.
TSD allows users to remotely manage and monitor their printers.
For the record, it appears no permanent damage was done, and everyone who was potentially impacted by this issue has been notified. There was a fairly narrow window of opportunity for anyone to stumble upon the issue in the first place, meaning any bad actors would have had to be particularly quick on their keyboards to come up with some nefarious plot to sabotage any printers connected to TSD. That said, one user took to Reddit to show off the physical warning their printer spit out; the apparent handiwork of a fellow customer that discovered the glitch on their own.
According to Jiang, the issue stemmed from how TSD associates printers and users. When the server sees multiple connections coming from the same public IP, it’s assumed they’re physically connected to the same local network. This allows the server to link the OctoPrint plugin running on a Raspberry Pi to the user’s phone or computer. But on the night in question, an incorrectly configured load-balancing system stopped passing the source IP addresses to the server. This made TSD believe all of the printers and users who connected during this time period were on the same LAN, allowing anyone to connect with whatever machine they wished.
New code pushed to the TSD repository limits how many devices can be associated with a single IP.
The mix-up only lasted about six hours, and so far, only the one user has actually reported their printer being remotely controlled by an outside party. After fixing the load-balancing configuration, the team also pushed an update to the TSD code which puts a cap on how many printers the server will associate with a given IP address. This seems like a reasonable enough precaution, though it’s not immediately obvious how this change would impact users who wish to add multiple printers to their account at the same time, such as in the case of a print farm.
While no doubt an embarrassing misstep for the team at The Spaghetti Detective, we can at least appreciate how swiftly they dealt with the issue and their transparency in bringing the flaw to light. This is also an excellent example of how open source allows the community to independently evaluate the fixes applied by the developer in response to a discovered flaw. Jiang says the team will be launching a full security audit of their own as well, so expect more changes getting pushed to the repository in the near future.
We were impressed with TSD when we first covered it back in 2019, and glad to see the project has flourished since we last checked in. Trust is difficult to gain and easy to lose, but we hope the team’s handling of this issue shows they’re on top of things and willing to do right by their community even if it means getting some egg on their face from time to time.
Steam branding is strong. Valve Corporation has turned their third-party marketplace into the first place millions choose to buy their PC games. The service has seen record-breaking numbers earlier this year with over 25 million concurrent users, so whatever they are doing is clearly working. Yet with all those software sales, last month Valve announced a new piece of hardware they call the Steam Deck.
Use the colloquialism you’d like, “not resting on your laurels” or “Mamba Mentality”, it’s not as if competitors in the handheld PC space are boasting ludicrous sales numbers. At their core, Valve is in the business of selling computer games. So why venture into making hardware? Continue reading “Valve Sells Software, So What’s With All The Hardware?”→
With the recent release of Microsoft Flight Simulator on the Xbox Series X|S there’s never been a better time to get a flight stick for the console, and as you might imagine, there are a number of third party manufacturers who would love to sell you one. But where’s the fun in that?
If you’ve got a fairly well tuned 3D printer, you can print out and assemble this joystick by [Akaki Kuumeri] that snaps right onto the Xbox’s controller. Brilliantly designed to leverage the ability of 3D printers to produce compliant mechanisms, or flextures, you don’t even need any springs or fasteners to complete assembly.
The flexture gimbal works without traditional springs.
The free version of Thingiverse only lets you move the controller’s right analog stick, but if you’re willing to drop $30 USD on the complete version, the joystick includes additional levers that connect to the controller’s face and shoulder buttons for more immersive control. There’s even a throttle that snaps onto the left side of the controller, though it’s optional if you’d rather save the print time.
If you want to learn more about the idea behind the joystick, [Akaki] is all too happy to walk you through the finer parts of the design in the video below. But the short version is the use of a flextures in the base of the joystick opened up the space he needed to run the mechanical linkages for all the other buttons.
It’s as if Halloween was made for hardware hackers. The world is begging us to build something cleaver as we decorate our houses and ourselves for the big day. And one thing’s for sure: the Hackaday crowd never disappoints. This year we’re fully embracing that with the Halloween Hackfest, our newest contest beginning today along with the help of our sponsors Digi-Key and Adafruit.
The animated video combined with the 3D-printed prop makes for an excellent effect.
Wait, isn’t it the beginning of August? Why are we talking about Halloween? The procrastinator’s dillema, that’s why! Start working on your build now and it will be epic by the time the day actually rolls around. Decorating for trick-or-treaters is a good place to start. For our money, projected heads are a really cool party trick, like these singing Jack-o-laterns, or these disembodied heads inspired by Disney’s Haunted Mansion. Or maybe you’re more of a flamethrower-hidden-in-pumpkin type of person?
Three top winners will receive $150 shopping sprees in Digi-Key’s parts warehouse. If your build happens to use an Adafruit board, your prize will be doubled. We’ll also be awarding some $50 Tindie gift cards to the most artistic projects.
Get started now by creating a project page on Hackaday.io. In the left sidebar of your project page, use the “Submit Project To” button to enter in the Halloween Hackfest. You have from now until October 11th to spill the beans pumpkin seeds on what you’ve made.
Light has always been a key part of the classic Game Boy experience. Some of us have fond memories of riding along in the back seat of a car at night, pausing and unpausing the game as the street lights overhead briefly give enough light to see the unlit display. The availability of third party IPS displays for these classic handhelds has largely eradicated this problem today, but as you might expect, the increased power requirements of the more modern screen reduces the system’s runtime.
In the video below, you can see the modification starts by cutting away a large section of the Game Boy’s rear panel to fit the 1000 mAh LiPo battery. The solar panel is then affixed over the back with super glue. A diode is soldered onto the solar cell, and then wired into a charge controller that came with USB-C input. The placement of the charge controller ended up being trickier than expected, but with a little hot glue, it works just fine. Overall this is a simple mod but a brilliant idea.
This isn’t the first solar-powered handheld game system we’ve seen, but it’s nice to see the idea revisited and expanded on, particularly regarding ergonomics. In addition, we love the incredible detail of narration that’s given as this hack slowly takes shape. Video after the break.
