Grab a shortwave radio, go up on your roof at night, turn on the radio, and if the ionosphere is just right, you’ll be able to tune into some very, very strange radio stations. Some of these stations are just a voice — usually a woman’s voice — simply counting. Some are Morse code. All of them are completely unintelligible unless you have a secret code book. These are number stations, or radio stations nobody knows much about, but everyone agrees they’re used to pass messages from intelligence agencies to spies in the field.
A few years ago, we took a look at number stations, their history, and the efforts of people who document and record these mysterious messages used for unknown purposes. These number stations exist for a particular reason: if you’re a spy, you would much rather get caught with an ordinary radio instead of a fancy encryption machine. Passing code through intermediaries or dead drops presents a liability. The solution to both these problems lies in broadcasting messages in code, allowing anyone to receive them. Only the spy who holds a code book — or in the case of the Cuban Five, software designed to decrypt messages from number stations — can decipher the code.
Number stations are a hack, of sorts, of the entire concept of broadcasting. For all but a few, these number stations broadcast complete gibberish. Only to the person holding the code book or the decryption software do these number stations mean anything. However, since the first number stations went on the air over one hundred years ago, broadcasting has changed dramatically. We now have the Internet, and although most web services cannot be considered a one-to-many distribution as how broadcasting is defined, Twitter can. Are there number stations on Twitter? There sure are. Are they used by spies or agents of governments around the world? That’s a little harder to say.
It sounds like a scene from a movie. A dark night in London, 1972. A young man walks alone, heading home after a long night of practicing with his band. His heavy Fender bass slung over his back, he’s weary but excited about the future. As he passes a skip (dumpster for the Americans out there), a splash of color catches his attention. Wires – not building power wires, but thinner gauge electronics connection wire. A tinkerer studying for his Electrical Engineering degree, the man had to investigate. What he found would become rock and roll history, and the seed of mystery stretching over 40 years.
The man was John Deacon, and he had recently signed on as bassist for a band named Queen. Reaching into the skip, he found the wires attached to a circuit board. The circuit looked to be an amplifier. Probably from a transistor radio or a tape player. Queen hadn’t made it big yet, so all the members were struggling to get by in London.
Deacon took the board back home and examined it closer. It looked like it would make a good practice amplifier for his guitar. He fit the amp inside an old bookshelf speaker, added a ¼ “ jack for input, and closed up the case. A volume control potentiometer dangled out the back of the case. Power came from a 9-volt battery outside the amp case. No, not a tiny transistor battery; this was a rather beefy PP-9 pack, commonly used in radios back then. The amp sounded best cranked all the way up, so eventually, even the volume control was removed. John liked the knobless simplicity – just plug in the guitar and play. No controls to fiddle with.
You’ll all remember my grand adventure in acquiring a photocopier. Well, it’s been a rollercoaster, I tell ya. While I still haven’t found a modification worthy enough to attempt, I have become increasingly frustrated. From time to time, I like to invite my friends and family over for dinner, and conversation naturally turns to things like the art on the walls, the fish in the aquarium, or perhaps the photocopier in the living room. Now, I dearly love to share my passions with others, so it’s pretty darned disappointing when I go to fire off a few copies only to have the machine fail to boot! It was time to tackle this problem once and for all.
When powered up, the photocopier would sit at a “Please Wait…” screen for a very long time, before eventually coughing up an error code — SC990 — and an instruction to call for service. A bunch of other messages would flash up as well; Address Book Data Error, Hard Drive Data Error, and so on. In the end I realized they all centered around data storage.
Pictured: the author, in his happy place, at peace with the copier.
Now, I’d already tried diving into the service menu once before, and selected the option to format the hard drive. That had led to the problem disappearing for a short period, but now it was back. No amount of mashing away at the keypad would work this time. The format commands simply returned “Failed” every time. What to do next? You guessed it, it was time for a teardown!
Thankfully, photocopiers are designed for easy servicing — someone’s paying for all those service calls. A few screws and large panels were simply popping off with ease; completely the opposite of working on cars. Spotting the hard drive was easy, it looked like some sort of laptop IDE unit. With only SATA laptops around the house to salvage parts from, I wasn’t able to come up with something to swap in.
A bit of research (and reading the label) taught me that the drive was a Toshiba MK2023GAS/HDD2187. Replacements were available on eBay, but if I waited two weeks I’d probably be wrist deep in some other abandoned equipment. It had to be sorted on the night. In the words of [AvE], if you can’t fix it… well, you know how it goes. I yanked the drive and, lo and behold – the copier booted straight up! Just to be sure I wasn’t hallucinating, I churned out a few copies, and other than the continued jamming on all-black pages, everything was fine. Literally all it took to get the copier to boot was to remove the ailing drive. Suffice to say, I was kind of dumbfounded.
The hard drive a.k.a. the villain of the piece.
I’m happy to chalk up the win, but I have to draw issue with Ricoh’s design here. The copier is clearly capable of operating perfectly well without a hard drive. It will give up its document server and address book abilities, but it will still make copies and print without a problem.
Yet, when the copier’s drive fails, the unit fails completely and refuses to work. This necessitates a service call for the average user to get anything at all happening again — causing much lost work and productivity. A better design in my eyes would have the copier notify users of the lost functionality due to the failed drive and the need to call service, but let them copy! Any IT administrator will know the value of a bodged work around that keeps the company limping along for the day versus having a room of forty agitated workers with nothing to do. It’s a shame Ricoh chose to have the photocopier shut down completely rather than valiantly fight on.
Feel free to chime in with your own stories of minor failures that caused total shutdowns in the comments. Video below the break.
Just two weeks ago our favorite supplier of cheap ESP8266 boards, WeMos, released the long-awaited LOLIN32 ESP-32 board, and it’s almost a killer. Hackaday regular [deshipu] tipped us off, and we placed an order within minutes; if WeMos is making a dirt-cheap ESP32 development board, we’re on board! It came in the mail yesterday. (They’re out of stock now, more expected soon.)
If you’ve been following the chip’s development, you’ll know that the first spin of ESP-32s had some silicon bugs (PDF) that might matter to you if you’re working with deep sleep modes, switching between particular clock frequencies, or using the brown-out-reset function. Do the snazzy new, $8, development boards include silicon version 0 or 1? Read on to find out!
A few weeks ago we published an article on the newly released Keysight 1000X, an oscilloscope that marks Keysight’s late but welcome entry into the hacker-centric entry-level market. Understandably, this scope is causing a lot of excitement as it promises to bring some of the high-end pedigree of the well-known 2000X and 3000X models down to a much affordable price. Now couple that with the possibility of hacking its bandwidth lock and all this fuss is well justified.
[Dave Jones] from the EEVblog got his hands on one, and while conducting a UART dump saw the scope report 200 MHz bandwidth despite being labelled as a 100 MHz model. He then proceeded to actually hack the main board to unlock an undocumented 200 MHz bandwidth mode. This created a lot of confusion: some said [Dave] got a “pre-hacked” version, others assumed all 100 MHz versions actually have a stock bandwidth of 200 MHz.
Alongside the question of bandwidth, many wondered how this would fare against the present entry-level standard, the Rigol 1054Z. Is the additional cost and fewer channels worth the Keysight badge?
Keysight’s response to our queries and confusion was the promise to send us a review unit. Well, after receiving it and playing around with it, clearly a lot of Keysight’s high-end excellence has trickled down to this lower end version. However, this machine was not without some silly firmware issues and damning system crashes! Read on the full review below. Continue reading “Scope Review: Keysight 1000 X-Series”→
Betteridge’s Law of Headlines states, “Any headline that ends in a question mark can be answered by the word no.” This law remains unassailable. However, recent claims have called into question a black box hidden deep inside every Intel chipset produced in the last decade.
Yesterday, on the Semiaccurate blog, [Charlie Demerjian] announced a remote exploit for the Intel Management Engine (ME). This exploit covers every Intel platform with Active Management Technology (AMT) shipped since 2008. This is a small percentage of all systems running Intel chipsets, and even then the remote exploit will only work if AMT is enabled. [Demerjian] also announced the existence of a local exploit.
Intel’s ME and AMT Explained
Beginning in 2005, Intel began including Active Management Technology in Ethernet controllers. This system is effectively a firewall and a tool used for provisioning laptops and desktops in a corporate environment. In 2008, a new coprocessor — the Management Engine — was added. This management engine is a processor connected to every peripheral in a system. The ME has complete access to all of a computer’s memory, network connections, and every peripheral connected to a computer. The ME runs when the computer is hibernating and can intercept TCP/IP traffic. Management Engine can be used to boot a computer over a network, install a new OS, and can disable a PC if it fails to check into a server at some predetermined interval. From a security standpoint, if you own the Management Engine, you own the computer and all data contained within.
The Management Engine and Active Management Technolgy has become a focus of security researchers. The researcher who finds an exploit allowing an attacker access to the ME will become the greatest researcher of the decade. When this exploit is discovered, a billion dollars in Intel stock will evaporate. Fortunately, or unfortunately, depending on how you look at it, the Managment Engine is a closely guarded secret, it’s based on a strange architecture, and the on-chip ROM for the ME is a black box. Nothing short of corporate espionage or looking at the pattern of bits in the silicon will tell you anything. Intel’s Management Engine and Active Management Technolgy is secure through obscurity, yes, but so far it’s been secure for a decade while being a target for the best researchers on the planet.
Semiaccurate’s Claim
In yesterday’s blog post, [Demerjian] reported the existence of two exploits. The first is a remotely exploitable security hole in the ME firmware. This exploit affects every Intel chipset made in the last ten years with Active Management Technology on board and enabled. It is important to note this remote exploit only affects a small percentage of total systems.
The second exploit reported by the Semiaccurate blog is a local exploit that does not require AMT to be active but does require Intel’s Local Manageability Service (LMS) to be running. This is simply another way that physical access equals root access. From the few details [Demerjian] shared, the local exploit affects a decade’s worth of Intel chipsets, but not remotely. This is simply another evil maid scenario.
Should You Worry?
This hacker is unable to exploit Intel’s ME, even though he’s using a three-hole balaclava.
The biggest network security threat today is a remote code execution exploit for Intel’s Management Engine. Every computer with an Intel chipset produced in the last decade would be vulnerable to this exploit, and RCE would give an attacker full control over every aspect of a system. If you want a metaphor, we are dinosaurs and an Intel ME exploit is an asteroid hurtling towards the Yucatán peninsula.
However, [Demerjian] gives no details of the exploit (rightly so), and Intel has released an advisory stating, “This vulnerability does not exist on Intel-based consumer PCs.” According to Intel, this exploit will only affect Intel systems that ship with AMT, and have AMT enabled. The local exploit only works if a system is running Intel’s LMS.
This exploit — no matter what it may be, as there is no proof of concept yet — only works if you’re using Intel’s Management Engine and Active Management Technology as intended. That is, if an IT guru can reinstall Windows on your laptop remotely, this exploit applies to you. If you’ve never heard of this capability, you’re probably fine.
Still, with an exploit of such magnitude, it’s wise to check for patches for your system. If your system does not have Active Management Technology, you’re fine. If your system does have AMT, but you’ve never turned it on, you’re fine. If you’re not running LMT, you’re fine. Intel’s ME can be neutralized if you’re using a sufficiently old chipset. This isn’t the end of the world, but it does give security experts panning Intel’s technology for the last few years the opportunity to say, ‘told ‘ya so’.
It’s no secret that a vast amount of American infrastructure is in great need of upgrades, repairs or replacements. The repairs that are desperately needed will come, and they will come in one of two ways. Either proactive repairs can be made when problems are first discovered, or repairs can be made at considerably greater cost after catastrophic failures have occurred. As was the case with the I-35 bridge collapse in Minnesota, we often pay in lives as well. Part of the problem is that infrastructure isn’t very exciting or newsworthy to many people outside of the civil engineering community which leads to complacency and apathy. As a result, it’s likely that you may not have heard about the latest struggle currently playing out in California even though it involves the largest dam in the United States and its potential failure.
Surprisingly enough, the largest dam in the US isn’t the famous Hoover Dam but the Oroville Dam at the base of the Sierra Nevada mountain range in California. At 235 meters, it is almost 15 meters taller than the Hoover Dam. It can store over four cubic kilometers of water but whether or not it will keep storing that water into the future is currently under question. In February of this year during a flood control operation damage was observed on the dam’s spillway where a massive hole had formed which only got larger as the dam was forced to continue releasing water. The hole quickly grew, and the floodwaters eroded much of the lower half of the spillway embankment, forming a canyon. Continue reading “Another California Water Crisis”→