cons

1308 Articles

36C3: All Wireless Stacks Are Broken

December 30, 2019 by 29 Comments

Your cellphone is the least secure computer that you own, and worse than that, it’s got a radio. [Jiska Classen] and her lab have been hacking on cellphones’ wireless systems for a while now, and in this talk gives an overview of the wireless vulnerabilities and attack surfaces that they bring along. While the talk provides some basic background on wireless (in)security, it also presents two new areas of research that she and her colleagues have been working on the last year.

One of the new hacks is based on the fact that a phone that wants to support both Bluetooth and WiFi needs to figure out a way to share the radio, because both protocols use the same 2.4 GHz band. And so it turns out that the Bluetooth hardware has to talk to the WiFi hardware, and it wouldn’t entirely surprise you that when [Jiska] gets into the Bluetooth stack, she’s able to DOS the WiFi. What this does to the operating system depends on the phone, but many of them just fall over and reboot.

Lately [Jiska] has been doing a lot of fuzzing on the cell phone stack enabled by some work by one of her students [Jan Ruge] work on emulation, codenamed “Frankenstein”. The coolest thing here is that the emulation runs in real time, and can be threaded into the operating system, enabling full-stack fuzzing. More complexity means more bugs, so we expect to see a lot more coming out of this line of research in the next year.

[Jiska] gives the presentation in a tinfoil hat, but that’s just a metaphor. In the end, when asked about how to properly secure your phone, she gives out the best advice ever: toss it in the blender.

36C3: Open Source Is Insufficient To Solve Trust Problems In Hardware

December 29, 2019 by 29 Comments

With open source software, we’ve grown accustomed to a certain level of trust that whatever we are running on our computers is what we expect it to actually be. Thanks to hashing and public key signatures in various parts in the development and deployment cycle, it’s hard for a third party to modify source code or executables without us being easily able to spot it, even if it travels through untrustworthy channels.

Unfortunately, when it comes to open source hardware, the number of steps and parties involved that are out of our control until we have a final product — production, logistics, distribution, even the customer — makes it substantially more difficult to achieve the same peace of mind. To make things worse, to actually validate the hardware on chip level, you’d ultimately have to destroy it.

On his talk this year at the 36C3, [bunnie] showed a detailed insight of several attack vectors we could face during manufacturing. Skipping the obvious ones like adding or substituting components, he’s focusing on highly ambitious and hard to detect modifications inside an IC’s package with wirebonded or through-silicon via (TSV) implants, down to modifying the netlist or mask of the integrated circuit itself. And these aren’t any theoretical or “what if” scenarios, but actual possible options — of course, some of them come with a certain price tag, but in the end, with the right motivation, money is only a detail.

Continue reading “36C3: Open Source Is Insufficient To Solve Trust Problems In Hardware”

36C3: Phyphox – Using Smartphone Sensors For Physics Experiments

December 29, 2019 by 7 Comments

It’s no secret that the average smart phone today packs an abundance of gadgets fitting in your pocket, which could have easily filled a car trunk a few decades ago. We like to think about video cameras, music playing equipment, and maybe even telephones here, but let’s not ignore the amount of measurement equipment we also carry around in form of tiny sensors nowadays. How to use those sensors for educational purposes to teach physics is presented in [Sebastian Staacks]’ talk at 36C3 about the phyphox mobile lab app.

While accessing a mobile device’s sensor data is usually quite straightforwardly done through some API calls, the phyphox app is not only a shortcut to nicely graph all the available sensor data on the screen, it also exports the data for additional visualization and processing later on. An accompanying experiment editor allows to define custom experiments from data capture to analysis that are stored in an XML-based file format and possible to share through QR codes.

Aside from demonstrating the app itself, if you ever wondered how sensors like the accelerometer, magnetometer, or barometric pressure sensor inside your phone actually work, and which one of them you can use to detect toilet flushing on an airplane and measure elevator velocity, and how to verify your HDD spins correctly, you will enjoy the talk. If you just want a good base for playing around with sensor data yourself, it’s all open source and available on GitHub for both Android and iOS.

Continue reading “36C3: Phyphox – Using Smartphone Sensors For Physics Experiments”

Bend It Like Bhoite: Circuit Sculptures Shatter The Bounds Of Flatland

December 27, 2019 by 5 Comments

As electronics hobbyists, we live in a somewhat two-dimensional world. Our craft is so centered around the printed circuit board that our design tools are specifically geared to spit out files tailored to the board house, who can then ship us a study in fiberglass and copper. We daub on flux and solder, add components, apply heat, and like magic, our circuits come to life, all within a few millimeters above and below the PCB.

Breaking out of this self-imposed Flatland can be therapeutic. At least that’s how Mohit Bhoite sees his free-form circuit sculptures, which he spoke about at length at the Hackaday Superconference this year. By way of disclosure, I have to admit to being a longtime fan of Mohit’s work, both at his day job as a designer at Particle, and with his spare time hobby of creating sculptures from electronic components and brass wire which can be followed on his Twitter feed. He ended up joining us for a circuit sculpture Hack Chat just before heading to Supercon, too, so not only was I looking forward to meeting him, I was sure his talk would reveal the secrets of his art and give me the inspiration to start doing some of my own. I wasn’t disappointed on either score.

Continue reading “Bend It Like Bhoite: Circuit Sculptures Shatter The Bounds Of Flatland”

Supercon Talk: Emily Velasco Wants You To Work Weird

December 23, 2019 by 5 Comments

Emily Velasco seems to absolutely delight in the weird, and we think that is wonderful. Weird brings us together. If you can be weird with someone else, you’ll have a special bond for life. In her inspiring 2019 Supercon talk (embedded below), Emily explains why she is drawn to weird things, and why you should be, too. Her enthusiasm is both palpable and infectious, so don’t be surprised if you suddenly want to drop everything to accompany her on a treasure hunt adventure and spend the rest of the day making things.

Emily doesn’t try to push making weird things on to you, but her reasons for working in weird are quite compelling. Weird things catch the eye and interrupt the tedium of our lives. They give us pause and invite us to look again. You can choose to turn away if you want. But if you look closer, you might find that ugly, weird, and annoying things begin to charm you.

Emily says the formative force that pulled her toward the weird was the gang of mutant toys that the villainous Sid made in Toy Story. They force you to look closer and to consider them. But Emily is far from mean-spirited — she builds her creations with love, and not to act out or to spite her little sister. They’re not what you expect, and even if someone finds them off-putting at first, they are undeniably interesting.

Continue reading “Supercon Talk: Emily Velasco Wants You To Work Weird”

Hackaday Is Going To The 36th Chaos Communication Congress

December 20, 2019 by 8 Comments

It’s that time of year again here in Germany. The mulled wine flows all night long at the Christmas markets, the Krampus runs wild in the streets, and hackers are perched frantically behind their keyboards and soldering irons, trying to get their last minute projects “finished” for the 36th annual Chaos Communication Congress (36C3) in Leipzig.

We’ll have an assembly for all fans and friends of the Jolly Wrencher, so if you’re coming to Congress, you can come join us or at least stop by and say hi. [Elliot] and [Sven] and a number of Hackaday.io luminaries will be on hand. (Ask us about secret stickers and an as-yet unannounced upcoming Hackaday conference.)

Even if you’re not able to make it, you should keep your eyes on Hackaday from the 27th to the 30th, because we’ll be reporting on the best of Congress. But you don’t have to take our word for it: the Chaos Computer Club makes all of the talks available on livestream during the event, many with simultaneous translation, and final edited versions often appearing just a few hours afterwards.

We’ve looked through the schedule, and it’s going to be a hum-dinger! Gather ’round the glowing box with your friends at your own local hackerspace, or call in sick from work and make yourself some popcorn. This is must-see nerd TV.

Whether you’ve been naughty or nice, swing by our assembly if you’re going to be in Leipzig for the last few days of 2019. See you there!

Kerry Scharfglass Secures Your IoT Things

December 20, 2019 by 6 Comments

We’ve all seen the IoT device security trainwrecks: those gadgets that fail so spectacularly that the comment section lights up with calls of “were they even thinking about the most basic security?” No, they probably weren’t. Are you?

Hackaday Contributor and all around good guy Kerry Scharfglass thinks about basic security for a living, and his talk is pitched at the newcomer to device security. (Embedded below.) Of course “security” isn’t a one-size-fits-all proposition; you need to think about what threats you’re worried about, which you can ignore, and defend against what matters. But if you’ve never worked through such an exercise, you’re in for a treat here. You need to think like a maker, think like a breaker, and surprisingly, think like an accountant in defining what constitutes acceptable risks. Continue reading “Kerry Scharfglass Secures Your IoT Things”