This Week In Security: Malicious Clipboards, Snakes On A Domain, And Binary Golf

September 2, 2022 by 4 Comments

There’s a bit of a panic regarding Chromium, Google Chrome, the system clipboard, and of all things, Google Doodles on the New Tab Page. It’s all about Chromium issue 1334203, “NewTabPageDoodleShareDialogFocusTest.All test fails when user gesture is enforced”. You see, Chromium has quite a large regression test suite, and Google engineers want to ensure that the Google Doodles always work. A security feature added to the clipboard handling API happened to break a Doodles test, so to fix the Doodle, the security feature was partially reverted. The now-missing feature? Requiring user interaction before a page can read or write to the clipboard.

Now you understand why there’s been a bit of a panic — yes, that sounds really bad. Pages arbitrarily reading from your clipboard is downright malicious and dangerous. And if no interaction is required, then any page can do so, right? No, not quite. So, Chrome has a set of protections, that there are certain things that a page cannot do if the user has not interacted with the page. You might see this at play in Discord when trying to refresh a page containing a video call. “Click anywhere on this page to enable video.” It’s intended to prevent annoying auto-play videos and other irritating page behavior. And most importantly, it’s *not* the only protection against a page reading your clipboard contents. See for yourself. Reading the clipboard is a site permission, just like accessing your camera or mic.

Now it’s true that a site could potentially *write* to the clipboard, and use this to try to be malicious. For example, writing rm -rf / on a site that claims to be showing off Linux command line tips. But that’s always been the case. It’s why you should always paste into a simple text editor, and not straight into the console from a site. So, really, no panic is necessary. The Chromium devs tried to roll out a slightly more aggressive security measure, and found it broke something unrelated, so partially rolled it back. The sky is not falling.
Continue reading “This Week In Security: Malicious Clipboards, Snakes On A Domain, And Binary Golf”

MH-Z19-like NDIR CO2 Sensor HC8 Found And Explored

August 31, 2022 by 7 Comments

While on the search for an alternative to directly buying the fairly expensive MH-Z19 CO2 sensor, [spezifisch] came across a ‘BreeRainz’ branded gadget (also found under other brands) that claimed to use an NDIR (Non-Dispersive Infrared) sensor for measuring CO2 levels, while costing only €25. This type of sensor allows for CO2 levels to be measured directly, rather than inferred, making them significantly more precise.

The BreeRainz DM1308A device cracked open.
The BreeRainz DM1308A device cracked open.

After cracking the gadget open (literally, due to the hidden screws), the CO2 sensor is clearly visible. While superficially identical to an MH-Z19, the NDIR sensor is actually called ‘HC8’, is produced by 广州海谷电子科技有限公司 (Guangzhou Haigu Electronic Technology Co., Ltd.). While being pin-compatible with the MH-Z19, its UART protocol is not the same. Fortunately there is a datasheet to help with implementing it, which is what [spezifisch] did.

This raises the question of whether harvesting NDIR CO2 sensors like this is worth it to save a few Euros. A quick look on German Amazon shows that the device in question currently costs €35, while a genuine MH-Z19 can be bought for €25 or less. There are also many MH-Z19 models (B, C and D), which cover an even wider price range. All of which points to finding an NDIR sensor-containing device can be interesting when it’s on sale, but if all you care about is the sensor itself, it’s probably best to just buy them directly.

Introducing FISSURE: A Toolbox For The RF Hacker

August 27, 2022 by 4 Comments

No matter what the job at hand is, if you’re going to tackle it, you’re going to need the right kit of tools. And if your job includes making sense out of any of the signals in the virtual soup of RF energy we all live in, then you’re going to need something like the FISSURE RF framework.

Exactly what FISSURE is is pretty clear from its acronym, which stands for Frequency Independent SDR-Based Signal Understanding and Reverse Engineering. This is all pretty new — it looks like [Chris Poore] presented a talk at DEFCON a few weeks back about using FISSURE to analyze powerline communications between semi-trucks and their trailers, and they’ve got a talk scheduled for next month’s GNU Radio Conference as well. We’ve been looking through all the material we can find on FISSURE, and it appears to be an RF hacker’s dream come true. They’ve got a few examples on Twitter, like brute-forcing an old garage door opener with a security code set by a ten-position DIP switch, and sending tire pressure monitoring system (TPMS) signals to a car. They also mention some of the framework’s capabilities on the GitHub README; we’re especially interested in packet crafting for various protocols. The video below has some more examples of what FISSURE can do.

It looks like FISSURE could be a lot of fun, and very handy for your RF analysis and reverse engineering work. If you’ve been using Universal Radio Hacker like we have, this looks similar, only more so. We’ll be downloading it soon and giving it a try, so be on the lookout for a hands-on report.

Continue reading “Introducing FISSURE: A Toolbox For The RF Hacker”

Bit-Banged Ethernet On The Raspberry Pi Pico

August 26, 2022 by 29 Comments

Whilst the Raspberry Pi RP2040 is quite a capable little chip, on the whole it’s nothing really special compared to the big brand offerings. But, the PIO peripheral is a bit special, and its inclusion was clearly a masterstroke of foresight, because it has bestowed the platform all kinds of capabilities that would be really hard to do any other way, especially for the price.

Our focus this time is on Ethernet, utilizing the PIO as a simple serialiser to push out a pre-formatted bitstream. [kingyo] so far has managed to implement the Pico-10BASE-T providing the bare minimum of UDP transmission (GitHub project) using only a handful of resistors as a proof of concept. For a safer implementation it is more usual to couple such a thing magnetically, and [kingyo] does show construction of a rudimentary pulse transformer, although off the shelf parts are obviously available for this. For the sake of completeness, it is also possible to capacitively couple Ethernet hardware (checkout this Micrel app note for starters) but it isn’t done all that much in practice.

Inside the expedient pulse transformer.

UDP is a simple Ethernet protocol for transferring application data. Being connection-less, payload data are simply formatted into a packet buffer up front. This is all fine, until you realize that the packets are pretty long and the bitrate can be quite high for a low-cost uC, which is why devices with dedicated Ethernet MAC functionality have a specific hardware serialiser-deserialiser (SERDES) block just for this function.

Like many small uC devices, the RP2040 does not have a MAC function built in, but it does have the PIO, and that can easily be programmed to perform the SERDES function in only a handful of lines of code, albeit only currently operating at 10 MBit/sec. This will cause some connectivity problems for modern switch hardware, as they will likely no longer support this low speed, but that’s easily solved by snagging some older switch hardware off eBay.

As for the UDP receive, that is promised for the future, but for getting data out of a remote device over a wired network, Pico-10BASE-T is a pretty good starting point. We’ve seen a few projects before that utilize the PIO to generate high speed signals, such as DVI, albeit with a heavy dose of overclocking needed. If you want a bit more of an intro to all things Pico, you could do worse than check out this video series we highlighted a while back.

I3C — No Typo — Wants To Be Your Serial Bus

August 25, 2022 by 67 Comments

Remember old hard drives with their giant ribbon cables? They went serial and now the power cables are way thicker than the data cables. We’ve seen the same thing in embedded devices. Talking between chips these days tends to use I2C or SPI or some variation of these to send and receive data over a handful of pins. But now there is I3C, a relatively new industry standard that is getting a bit of traction.

I2C and SPI are mature but they do have problems. I2C can be relatively slow and SPI usually requires extra pins for each device. Besides that, there is poor support for adding and removing devices dynamically or discovering devices automatically.

I3C, created by the MIPI Alliance, aims to fix these problems. It does use the usual two wires, SCL for the clock and SDA for data.  One device acts as a controller. Other devices can be targets or secondary controllers. It is also backward compatible with I2C target devices. Depending on how you implement it, speeds can be quite fast with a raw speed of 12.5 Mbps and using line coding techniques can go to around 33 Mbps.

Continue reading “I3C — No Typo — Wants To Be Your Serial Bus”

Is This The Oldest Open Source HVAC Project In Existence?

August 22, 2022 by 19 Comments

Homebrew HVAC systems are one of those projects that take such a big investment of time, effort and money that you’ve got to be a really dedicated (ideally home-owning) hacker with a wide variety of multidisciplinary skills to pull off an implementation that can work in reality. One such HVAC hacker is [Vadim Tkachenko] with his multi-zone Home Climate Control (HCC) project that we covered first back in 2007. We now have rare opportunity to look at the improvements fifteen years of part-time development can produce, when a project is used all day, all year round in their own home. At the start, things were simple, just opening and closing ventilators with none of those modern MQTT-driven cloud computing stuff. Continue reading “Is This The Oldest Open Source HVAC Project In Existence?”

ESP8266 Smart Vents Keep Tabs On Home Temps

August 18, 2022 by 50 Comments

Have you ever found that, despite having a central heating and air conditioning system, that not all the rooms in your home end up being the temperature you want them to be? Maybe the dining room gets too hot when the heater is running, or the bedroom never seems to cool off enough in the summer months. If that sounds like your house, then these motorized “smart vents” from [Tony Brobston] might be exactly what you need.

The idea here is pretty simple: an ESP8266 and a servo is built into the 3D printed vent register, which allows it to control the position of its louvers. When connected to your home automation system via MQTT, the vents allow you to control the airflow to each room individually based on whatever parameters you wish. Most likely, you’ll want to pair these vents with an array of thermometers distributed throughout the house.

While [Tony] says the design still needs some testing, he’s released smart vents in a range of sizes from 2×10 to 6×12 inches. He’s also provided excellent documentation on how to print, assemble, and program the devices. It’s clear that a lot of care and thought went into every element of this project, and we’re excited to see how it can be developed further by the new ideas and contributors that will inevitably pop up now that it’s gone public.

Want to add some automation to your HVAC, but don’t have a fancy central unit? Don’t worry, as long as your heater or air conditioner has an infrared remote, you should be able to wedge a WiFi-enabled microcontroller in into the equation.

Continue reading “ESP8266 Smart Vents Keep Tabs On Home Temps”