Grab a shortwave radio, go up on your roof at night, turn on the radio, and if the ionosphere is just right, you’ll be able to tune into some very, very strange radio stations. Some of these stations are just a voice — usually a woman’s voice — simply counting. Some are Morse code. All of them are completely unintelligible unless you have a secret code book. These are number stations, or radio stations nobody knows much about, but everyone agrees they’re used to pass messages from intelligence agencies to spies in the field.
A few years ago, we took a look at number stations, their history, and the efforts of people who document and record these mysterious messages used for unknown purposes. These number stations exist for a particular reason: if you’re a spy, you would much rather get caught with an ordinary radio instead of a fancy encryption machine. Passing code through intermediaries or dead drops presents a liability. The solution to both these problems lies in broadcasting messages in code, allowing anyone to receive them. Only the spy who holds a code book — or in the case of the Cuban Five, software designed to decrypt messages from number stations — can decipher the code.
Number stations are a hack, of sorts, of the entire concept of broadcasting. For all but a few, these number stations broadcast complete gibberish. Only to the person holding the code book or the decryption software do these number stations mean anything. However, since the first number stations went on the air over one hundred years ago, broadcasting has changed dramatically. We now have the Internet, and although most web services cannot be considered a one-to-many distribution as how broadcasting is defined, Twitter can. Are there number stations on Twitter? There sure are. Are they used by spies or agents of governments around the world? That’s a little harder to say.
Citizen engineers, beware the Beaver State. If you want to discuss engineering in a public setting, you’d better have a license. If you don’t, you could end up like Oregon resident Mats Järlström — paying a $500 fine and being threatened with even larger civil penalties and jail time.
The story of how Järlström became ensnared in this unfortunate series of events begins innocently enough, and it’s a story that any Hackaday reader can probably relate to. After his wife received a traffic ticket in the mail from a red-light camera in the town of Beaverton, Järlström began pondering the math of traffic signal timing. After a little digging, he found the formula used for calculating the time traffic signals stay in the yellow stage. Moreover, he found a flaw in the formula, which dates back to 1959, that could lead to incorrect violations issued by automated traffic cameras.
It sounds like a scene from a movie. A dark night in London, 1972. A young man walks alone, heading home after a long night of practicing with his band. His heavy Fender bass slung over his back, he’s weary but excited about the future. As he passes a skip (dumpster for the Americans out there), a splash of color catches his attention. Wires – not building power wires, but thinner gauge electronics connection wire. A tinkerer studying for his Electrical Engineering degree, the man had to investigate. What he found would become rock and roll history, and the seed of mystery stretching over 40 years.
The man was John Deacon, and he had recently signed on as bassist for a band named Queen. Reaching into the skip, he found the wires attached to a circuit board. The circuit looked to be an amplifier. Probably from a transistor radio or a tape player. Queen hadn’t made it big yet, so all the members were struggling to get by in London.
Deacon took the board back home and examined it closer. It looked like it would make a good practice amplifier for his guitar. He fit the amp inside an old bookshelf speaker, added a ¼ “ jack for input, and closed up the case. A volume control potentiometer dangled out the back of the case. Power came from a 9-volt battery outside the amp case. No, not a tiny transistor battery; this was a rather beefy PP-9 pack, commonly used in radios back then. The amp sounded best cranked all the way up, so eventually, even the volume control was removed. John liked the knobless simplicity – just plug in the guitar and play. No controls to fiddle with.
Because I often work with students, I’m always on the look-out for a simple CPU, preferably in Verilog, in the Goldilocks zone. That is, not too easy and not too hard. I had high hopes for this 16-bit RISC processor presented by [fpga4student], but without some extra work, it probably isn’t usable for its intended purpose.
The CPU itself is pretty simple and fits on a fairly long web page. However, the details about it are a bit sparse. This isn’t always a bad thing. You can offer students too much help. Then again, you can also offer too little. However, what was worse is one of the modules needed to get it to work was missing! You might argue it was an exercise left to the reader, but it probably should have been pointed out that way.
At first, I was ready to delete the bookmark and move on. Then I decided that the process of fixing this design and doing a little analysis on it might actually be more instructive than just studying a fully working design. So I decided to share my fix with you and look inside the architecture a bit more. On top of that, I’ll show you how to get the thing to run in an online simulator so you can experiment with no software installation. Of course, if you are comfortable with a Verilog toolchain (like the ones from Xilinx or Altera, or even free ones like Icarus or CVer) you should have no problem making that work, either. This time I’ll focus on how the CPU works and next time I’ll show you how to simulate it with some free tools. Continue reading “Learn By Fixing: Another Verilog CPU”→
Everywhere we look in our everyday lives, from our bench to our bedroom, there are the ubiquitous electrical cords of mains-powered appliances. We don’t give our electrical devices a second thought, but in addition to their primary purpose they all perform the function of keeping us safe from the dangerous mains voltages delivered from our wall sockets.
Of course, we’ve all had appliances that have become damaged. How often have you seen a plug held together with electrical tape, or a cord with some of its outer sheath missing? It’s something that we shouldn’t do, but it’s likely many readers are guiltily shuffling a particular piece of equipment out of the way at the moment.
In most countries there are electrical regulations which impose some level of electrical safety on commercial premises. Under those regulations, all appliances must be regularly tested, and any appliances that fail the tests must be either repaired or taken out of service
In the United Kingdom,where this piece is being written, the law in question is the Electricity At Work Regulations 1989, which specifies the maintenance of electrical safety and that there should be evidence of regular maintenance of electrical appliances. It doesn’t specify how this should be done, but the way this is usually achieved is by a set of electrical tests whose official name: “In-service Inspection & Testing of Electrical Equipment”, isn’t very catchy. Thus “Portable Appliance Testing”, or PAT, is how the process is usually referred to. Join me after the break for an overview of the PAT system.
Starting up a new hackerspace from the ground up is a daunting task. Before you even think about the fun stuff like tools and a space, you’ve got a ton of social engineering to do. Finding like-minded people with the drive and passion for seeing the project through is a major stumbling block where many projects falter. If you get past that, then figuring out a corporate structure and getting funds together to start building something can be difficult, as can local permits and the endless red tape that always seems to accompany anything seen as new or innovative.
But finally the magic day comes for your group to open the doors on the new hackerspace, perhaps with an open house or some event to bring the community in and maybe rustle up some paying members. It should be a happy occasion, but for a new hackerspace near Houston, the grand opening celebration was thwarted when thieves broke into the space and cleaned out all their tools days before it opened.
Betteridge’s Law of Headlines states, “Any headline that ends in a question mark can be answered by the word no.” This law remains unassailable. However, recent claims have called into question a black box hidden deep inside every Intel chipset produced in the last decade.
Yesterday, on the Semiaccurate blog, [Charlie Demerjian] announced a remote exploit for the Intel Management Engine (ME). This exploit covers every Intel platform with Active Management Technology (AMT) shipped since 2008. This is a small percentage of all systems running Intel chipsets, and even then the remote exploit will only work if AMT is enabled. [Demerjian] also announced the existence of a local exploit.
Intel’s ME and AMT Explained
Beginning in 2005, Intel began including Active Management Technology in Ethernet controllers. This system is effectively a firewall and a tool used for provisioning laptops and desktops in a corporate environment. In 2008, a new coprocessor — the Management Engine — was added. This management engine is a processor connected to every peripheral in a system. The ME has complete access to all of a computer’s memory, network connections, and every peripheral connected to a computer. The ME runs when the computer is hibernating and can intercept TCP/IP traffic. Management Engine can be used to boot a computer over a network, install a new OS, and can disable a PC if it fails to check into a server at some predetermined interval. From a security standpoint, if you own the Management Engine, you own the computer and all data contained within.
The Management Engine and Active Management Technolgy has become a focus of security researchers. The researcher who finds an exploit allowing an attacker access to the ME will become the greatest researcher of the decade. When this exploit is discovered, a billion dollars in Intel stock will evaporate. Fortunately, or unfortunately, depending on how you look at it, the Managment Engine is a closely guarded secret, it’s based on a strange architecture, and the on-chip ROM for the ME is a black box. Nothing short of corporate espionage or looking at the pattern of bits in the silicon will tell you anything. Intel’s Management Engine and Active Management Technolgy is secure through obscurity, yes, but so far it’s been secure for a decade while being a target for the best researchers on the planet.
Semiaccurate’s Claim
In yesterday’s blog post, [Demerjian] reported the existence of two exploits. The first is a remotely exploitable security hole in the ME firmware. This exploit affects every Intel chipset made in the last ten years with Active Management Technology on board and enabled. It is important to note this remote exploit only affects a small percentage of total systems.
The second exploit reported by the Semiaccurate blog is a local exploit that does not require AMT to be active but does require Intel’s Local Manageability Service (LMS) to be running. This is simply another way that physical access equals root access. From the few details [Demerjian] shared, the local exploit affects a decade’s worth of Intel chipsets, but not remotely. This is simply another evil maid scenario.
Should You Worry?
This hacker is unable to exploit Intel’s ME, even though he’s using a three-hole balaclava.
The biggest network security threat today is a remote code execution exploit for Intel’s Management Engine. Every computer with an Intel chipset produced in the last decade would be vulnerable to this exploit, and RCE would give an attacker full control over every aspect of a system. If you want a metaphor, we are dinosaurs and an Intel ME exploit is an asteroid hurtling towards the Yucatán peninsula.
However, [Demerjian] gives no details of the exploit (rightly so), and Intel has released an advisory stating, “This vulnerability does not exist on Intel-based consumer PCs.” According to Intel, this exploit will only affect Intel systems that ship with AMT, and have AMT enabled. The local exploit only works if a system is running Intel’s LMS.
This exploit — no matter what it may be, as there is no proof of concept yet — only works if you’re using Intel’s Management Engine and Active Management Technology as intended. That is, if an IT guru can reinstall Windows on your laptop remotely, this exploit applies to you. If you’ve never heard of this capability, you’re probably fine.
Still, with an exploit of such magnitude, it’s wise to check for patches for your system. If your system does not have Active Management Technology, you’re fine. If your system does have AMT, but you’ve never turned it on, you’re fine. If you’re not running LMT, you’re fine. Intel’s ME can be neutralized if you’re using a sufficiently old chipset. This isn’t the end of the world, but it does give security experts panning Intel’s technology for the last few years the opportunity to say, ‘told ‘ya so’.
