Hacking Kia: Remotely Hijack A Car Using Only Its License Plate

September 27, 2024 by 55 Comments

These days everything needs to be connected to remote servers via the internet, whether it’s one’s TV, fridge or even that new car you just bought. A recently discovered (and already patched) vulnerability concerning Kia cars was a doozy in this regard, as a fairly straightforward series of steps allowed for any attacker to obtain the vehicle identification number (VIN) from the license plate, and from there become registered as the car’s owner on Kia’s network. The hack and the way it was discovered is described in great detail on [Sam Curry]’s website, along with the timeline of its discovery.

Notable is that this isn’t the first vulnerability discovered in Kia’s HTTP-based APIs, with [Sam] this time taking a poke at the dealer endpoints. To his surprise, he was able to register as a dealer and obtain a valid session ID using which he could then proceed to query Kia’s systems for a user’s registered email address and phone number.

With a specially crafted tool to automate the entire process, this information was then used to demote the car’s owner and register the attacker as the primary owner. After this the attacker was free to lock/unlock the doors, honk to his heart’s content, locate the car and start/stop the vehicle. The vulnerability affected all Kia cars made after 2013, with the victim having no indication of their vehicle having been hijacked in this manner. Aside from the doors randomly locking, the quaint honking and engine turning on/off at a whim, of course.

Perhaps the scariest part about this kind of vulnerability is that it could have allowed an attacker to identify a vulnerable parked car, gained access, before getting into the car, starting the engine and driving away. As long as these remote APIs allow for such levels of control, one might hope that one day car manufacturers will take security somewhat more serious, as this is only the latest in a seemingly endless series of amusingly terrifying security vulnerabilities that require nothing more than some bored hackers with HTTP query crafting tools to discover.

Continue reading “Hacking Kia: Remotely Hijack A Car Using Only Its License Plate”

This Week In Security: Password Sanity, Tank Hacking, And The Mystery 9.9

September 27, 2024 by 15 Comments

It looks like there’s finally hope for sane password policies. The US National Institue of Standards and Technology, NIST, has released a draft of SP 800-63-4, the Digital Identity Guideline.

There’s password guidance in there, like “SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords” and “SHALL NOT require users to change passwords periodically.” NIST approved passwords must be at least 8 characters long, with a weaker recommendation of at least 15 characters. Security questions like name of first pet get the axe. And it’s strongly recommended that all ASCII and Unicode characters should be acceptable for passwords.

This is definitely moving in the right direction. NIST guidelines are only binding for government services and contractors, though they do eventually get picked up by banks and other industries. So there’s hope for sane password policies eventually.

Tank Hacking

Researchers at Bitsight are interested in infrastructure security, and they opted to take a closer look at Automatic Tank Gauging (ATG) systems. Those are found at gas stations, as well as any other facility that needs automated monitoring of liquids or gasses in a tank. There is an actual ATG message format, originally designed for RS-232 serial, and woefully unprepared for the interconnected present. The protocol allows for an optional security code, but it maxes out at only six alpha-numeric characters.

Among the vulnerabilities getting announced today, we have a pair of CVSS 10 command injection flaws, a quartet of 9.8 authentication bypass flaws, with one of those being a hardcoded credential — AKA a backdoor. The other CVSS9+ flaw is a SQL injection, with a trio of slightly less serious flaws. Continue reading “This Week In Security: Password Sanity, Tank Hacking, And The Mystery 9.9”

An Ode To The SAO

September 26, 2024 by 23 Comments

There are a lot of fantastic things about Hackaday Supercon, but for me personally, the highlight is always seeing the dizzying array of electronic bits and bobs that folks bring with them. If you’ve never had the chance to join us in Pasadena, it’s a bit like a hardware show-and-tell, where half the people you meet are eager to pull some homemade gadget out of their bag for an impromptu demonstration. But what’s really cool is that they’ve often made enough of said device that they can hand them out to anyone who’s interested. Put simply, it’s very easy to leave Supercon with a whole lot more stuff than when you came in with.

Most people would look at this as a benefit of attending, which of course it is. But in a way, the experience bummed me out for the first couple of years. Sure, I got to take home a literal sack of incredible hardware created by members of our community, and I’ve cherished each piece. But I never had anything to give them in return, and that didn’t quite sit right with me.

So last year I decided to be a bit more proactive and make my own Simple Add-On (SAO) in time for Supercon 2023. With a stack of these in my bag, I’d have a personalized piece of hardware to hand out that attendees could plug right into their badge and enjoy. From previous years I also knew there was something of an underground SAO market at Supercon, and that I’d find plenty of people who would be happy to swap one for their own add-ons for mine.

To say that designing, building, and distributing my first SAO was a rewarding experience would be something of an understatement. It made such an impression on me that it ended up helping to guide our brainstorming sessions for what would become the 2024 Supercon badge and the ongoing SAO Contest. Put simply, making an SAO and swapping it with other attendees adds an exciting new element to a hacker con, and you should absolutely do it.

So while you’ve still got time to get PCBs ordered, let’s take a look at some of the unique aspects of creating your own Simple Add-On.

Continue reading “An Ode To The SAO”

Remembering CompuServe: The Online Experience Before The World Wide Web

September 25, 2024 by 29 Comments
July 1981 cover of CompuServe's magazine.
July 1981 cover of CompuServe’s magazine.

Long before the advent of the Internet and the World Wide Web, there were other ways to go online, with Ohio-based CompuServe being the first to offer a consumer-oriented service on September 24, 1979. In an article by [Michael De Bonis] a listener-submitted question to WOSU’s Curious Cbus is answered, interspersed with recollections of former users of the service. So what was CompuServe’s contribution to society that was so important that the state of Ohio gave historical status to the building that once housed this company?

The history of CompuServe and the consumer-facing services which it would develop started in 1969, when it was a timesharing and remote access service for businesses who wanted to buy some time on the PDP-10s that Golden United Life Insurance as the company’s subsidiary used. CompuServe divested in 1975 to become its own, NASDAQ-listed company. As noted in the article, while selling timeshares to businesses went well, after business hours they would have these big computer systems sitting mostly idly. This was developed by 1979 into a plan to give consumers with their newfangled microcomputers like the TRS-80 access.

Originally called MicroNet and marketed by Radio Shack, the service offered the CompuServe menu to users when they logged in, giving access to features like email, weather, stock quotes, online shipping and booking of airline tickets, as well as online forums and interactive text games.

Later renamed to CompuServe Information Service (CIS), it remained competitive with competitors like AOL and Prodigy until the mid-90s, even buying one competitor called The Source. Ultimately it was the rise of Internet and the WWW that would close the door on this chapter of computing history, even as for CompuServe users this new Internet age would have felt very familiar, indeed.

Inviting The Public To Take Stereo Photos For Science

September 20, 2024 by 14 Comments

[Lynnadeng]’s team wanted to monitor the Los Angeles River over time and wanted citizen scientists — or anyone, for that matter — to help. They built a dual phone holder to allow random passersby to use their phones to take photos. A QR code lets them easily send the pictures to the team. The 3D printed holder is fixed in place and has a known gap that allows stereo reconstruction from pairs of photos.

Of course, people aren’t going to know what to do, so you need a sign with instructions along with the QR code. One advantage to this scheme is that it’s cheap. All the camera hardware is in the public’s phone. Of course, you still have to make the holder robust to the elements, but that’s not nearly as difficult as supplying power and weatherproofing cameras and radios.

The real interesting part is the software. At first, we were disappointed that the post had a dead link to GitHub, but it was easy enough to find the correct one. In some cases, people will use a single camera, so 3D reconstruction isn’t always possible.

We love citizen science around here. No matter where you live, there are many opportunities to contribute.

Upgraded Raster Laser Projector Goes RGB

September 18, 2024 by 10 Comments

We’ve covered a scanning laser project by Ben Make’s Everything last year, and now he’s back with a significant update. [Ben]’s latest project now offers a higher resolution and RGB lasers. A couple of previous versions of the device used the same concept of a rotating segmented mirror synchronised to a pulsed laser diode to create scanlines. When projected onto a suitable surface, the distorted, pixelated characters looked quite funky, but there was clearly room for improvement.

More scanlines and a faster horizontal pixel rate

The previous device used slightly inclined mirrors to deflect the beam into scanlines, with one mirror per scanline limiting the vertical resolution. To improve resolution, the mirrors were replaced with identically aligned mirrors of the type used in laser printers for horizontal scanning. An off-the-shelf laser galvo was used for vertical scanning, allowing faster scanning due to its small deflection angle. This setup is quicker than then usual vector galvo application, as the smaller movements require less time to complete. Once the resolution improvement was in hand, the controller upgrade to a Teensy 4 gave more processing bandwidth than the previous Arduino and a consequent massive improvement in image clarity.

Finally, monochrome displays don’t look anywhere near as good as an RGB setup. [Ben] utilised a dedicated RGB laser setup since he had trouble sourcing the appropriate dichroic mirrors to match available lasers. This used four lasers (with two red ones) and the correct dichroic mirrors to combine each laser source into a single beam path, which was then sent to the galvo. [Ben] tried to find a DAC solution fast enough to drive the lasers for a proper colour-mixing input but ended up shelving that idea for now and sticking with direct on-off control. This resulted in a palette of just seven colours, but that’s still a lot better than monochrome.

The project’s execution is excellent, and care was taken to make it operate outdoors with a battery. Even with appropriate safety measures, you don’t really want to play with high-intensity lasers around the house!

Here’s the previous version we covered, a neat DIY laser galvo using steppers, and a much older but very cool RGB vector projector.

Continue reading “Upgraded Raster Laser Projector Goes RGB”

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The (Mc)Cool Typewriter

September 16, 2024 by 2 Comments

A hand and wrist with a gesture detection ring and a control box on the wrist.
Image by [ambrush] via Hackaday.IO
Okay, so this isn’t a traditional keyboard, but you can probably figure out why the RuneRing is here. Because it’s awesome! Now, let me give you the finer points.

Hugely inspired by both ErgO and Somatic, RuneRing is a machine learning-equipped wearable mouse-keyboard that has a configurable, onboard ML database that can be set up to detect any gesture.

Inside the ring is a BMI160 6-axis IMU that sends gesture data to the Seeed Studio nRF52840 mounted on the wrist. Everything is powered with an 80mAh Li-Po lifted from a broken pair of earbuds.

Instead of using a classifier neural network, RuneRing converts IMU data to points in 24-dimensional space. Detecting shapes is done with a statistical check. The result is a fast and highly versatile system that can detect a new shape with as few as five samples.

Continue reading “Keebin’ With Kristina: The One With The (Mc)Cool Typewriter”