This Week In Security: Intel Atoms Spill Secrets, ICMP Poisons DNS, And The Blacksmith

November 19, 2021 by Jonathan Bennett 21 Comments

Intel has announced CVE-2021-0146, a vulnerability in certain processors based on the Atom architecture, and the Trusted Platform Module (TPM) is at the center of the problem. The goal of the system around the TPM is to maintain system integrity even in the case of physical access by an attacker, so the hard drive is encrypted using a key stored in a secure chip on the motherboard. The TPM chip holds this encryption key and provides it during the boot process. When combined with secure boot, this is a surprisingly effective way to prevent tampering or data access even in the case of physical access. It’s effective, at least, when nothing goes wrong.

Earlier this year, we covered a story where the encryption key could be sniffed directly from the motherboard, by tapping the traces connecting the TPM to the CPU. It was pointed out that TPM 2.0 can encrypt the disk encryption key on the traces, making this attack impossible.

The entire Trusted Compute Model is based on the premise that the CPU itself is trustworthy. This brings us back to Intel’s announcement that a debug mode could be enabled via physical access. In this debug mode, the CPU master key can be extracted, leading to complete compromise. The drive encryption key can be recovered, and unsigned firmware can be loaded to the Management Engine. This means data in the TPM enclave and the TPM-stored encryption key can be compromised. Updated firmware is rolling out through motherboard vendors to address the problem. Continue reading “This Week In Security: Intel Atoms Spill Secrets, ICMP Poisons DNS, And The Blacksmith” →

Know Audio: Get Into The Groove

November 18, 2021 by Jenny List 62 Comments

The legendary Technics SL1200 direct-drive turntable, as used by countless DJs. Dydric [CC BY-SA 2.5)], via Wikimedia Commons. — The legendary Technics SL1200 direct-drive turntable, as used by countless DJs. Photo by Dydric CC-BY-SA 2.5

For me, the vinyl record player is the spiritual home of my audio listening experience, probably because I’m of the last generation to grow up when vinyl was king. The 12″ album, with its full-size sleeve and copious sleeve notes, used to be an integral part of musical enjoyment that hasn’t been adequately replicated in the age of streaming.

And like anyone who became an adult while CD players were still expensive luxury items, I started my journey into Hi-Fi with a turntable set-up that sounded pretty good. Since a new generation have in recent years rediscovered vinyl, it’s once again something that should be part of any review of audio technology.

I would have started this piece with a full run-down of the constituent parts of a good turntable, but since that’s a piece that I wrote back in 2017, it’s time to investigate some of the audiophile claims about vinyl recordings. It’s fair to say that this is an area where a lot of complete rubbish is spouted by people who should know better, and that’s something I find immensely entertaining to poke fun at. Buckle up. Continue reading “Know Audio: Get Into The Groove” →

Back of Rigol DS1104Z oscilloscope with the Ethernet and USB ports visible.

SCPI: On Teaching Your Devices The Lingua Franca Of Laboratories

November 17, 2021 by Maya Posch 31 Comments

One could be excused for thinking sometimes that the concept of connecting devices with other devices for automation purposes is a fairly recent invention. Yet for all the (relatively) recent hype of the Internet of Things and the ‘smart home’, laboratories have been wiring up their gear to run complicated measurement and test sequences for many decades now, along with factories doing much the same for automating production processes.

Much like the chaotic universe of IoT devices, lab equipment from different manufacturers feature a wide number of incompatible protocol and interface standards. Ultimately these would coalesce into IEEE-488.1 (GPIB) as the physical layer and by 1990 the first Standard Commands for Programmable Instruments (SCPI) standard was released that built on top of IEEE-488.

SCPI defines (as the name suggests) standard commands to interact with instruments. It has over the past decades gone on to provide remote interaction capabilities to everything from oscilloscopes and power supplies to exotic scientific equipment. Many off the shelf devices a hobbyist can buy today feature an SCPI interface via its Ethernet, USB or RS-232C port(s) that combined with software can be used to automate one’s home lab.

Even better is that it’s relatively straightforward to add SCPI functionality to one’s own devices as well, so long as it has at least an MCU and some way to communicate with the outside world.

Continue reading “SCPI: On Teaching Your Devices The Lingua Franca Of Laboratories” →

Hackaday Links: November 14, 2021

November 14, 2021 by Dan Maloney 21 Comments

If you’re an infrastructure dweeb, it’s hard to drive past an electrical substation and not appreciate the engineering involved in building something like that. A moment’s thought will also make it hard to miss just how vulnerable a substation is to attack, especially those located way out in the hinterlands. And now we’re learning that late year, someone in Pennsylvania noticed this vulnerability and acted on it by attacking a substation with a commercial drone. Rather than trying to fly explosives over the substation fence, the attacker instead chose to dangle a copper wire tether under the drone, in an attempt to cause a short circuit. The attempt apparently failed when the drone crashed before contacting any conductors, and the attacker appears to have been ignorant of the extensive protective gear employed at substations that likely would have made a successful attack only a temporary outage. But it still points to the vulnerability of the grid to even low-skill, low-cost attacks.

We’ve probably all had the experience of using someone’s janky app and thinking, “Pfft! I could write something better than this!” That’s what a bunch of parents of school-age kids in Sweden thought, and they went ahead and did exactly that. Unfortunately, it didn’t turn out quite the way they expected. The problem app was called Skolplattform, which was supposed to make it easy for Stockholm’s parents to keep track of their kids’ progress at school. The app, which cost 1 billion Swedish Krona to develop, is by all accounts a disaster. But some frustrated parents managed to reverse engineer the API and build a new, better one on top of it. This resulted in Öppna Skolplattformen, an open-source app that actually works. Not to be upstaged, the city of Stockholm accused the parents of cyber crimes and data breaches. They also engaged the parents in an “API war”, constantly changing their system to nerf the new app and forcing the parents to rewrite it. In the end, the parents won, with Stockholm changing its position after a police report found that all data being accessed were voluntarily made public by the city. But it’s still a cautionary tale about the dangers of one-upping The Man.

Sam Battles is in a bit of a moral bind, and it’s something that others in our community may run into. Sam is perhaps better known as “Look Mum, No Computer” on YouTube, and as the proprietor of the “This Museum Is (Not) Obsolete” showcase of retro technology in England. He’s also an avid builder of analog synthesizers, including a world-record synth with a thousand oscillators called the “Megadrone.” He’d like to tackle another build to try to break his own records, but in a time of fragile supply chains and other woes too numerous to mention, doing so would likely require the world’s entire supply of some components. Hence the dilemma: do any of us as hobbyists have a moral obligation to tread lightly when it comes to component selection? It’s an interesting question, and one that’s sure to engender strong opinions, which of course we encourage you to share in the comments section. Please just try to keep it civil.

Continue reading “Hackaday Links: November 14, 2021” →

Peek Behind The Curtains: Conference Badge Design

November 13, 2021 by Elliot Williams 4 Comments

In the before-times, back when we could have in-person Hackaday Supercons, there was always the problem of the badge. Making a few hundred small electronic thingies, for a smart but broad range of hackers, is tricky. We always want it to do something all on its own, but also ideally to allow enough free range that the motivated badge hacker can make it into something exquisite. Add in the fact that some attendees are hardware types and some are software types, and toss in a price constraint too. Oh, and it has to look good. Tough problem.

Here’s one extreme solution: the badge at the first Supercon. Faced with essentially zero budget and a tight time constraint, the Hackaday team punted — and produced a prototype board, but had tons of parts on hand for everyone to draw from. And the Hackaday crowd delivered. This was the badge that demonstrates what happens if you leave everything open.

Contrast with the 2018 Belgrade and Supercon badges, which were essentially the same except for color. Here, the hardware interface was limited to a 9-pin header, but the badge itself was a fully functional microcomputer, complete with keyboard and screen. Most of the hacks were written in the native BASIC, though a few hearty souls played around with the alternative CP/M system. This was our most software badge.

Our last in-person badge, the 2019 Supercon badge, was free rein for both hardware and software hackers. The whole thing was based on an FPGA, with completely custom gateware written by Sprite_tm running RISC-V, but based loosely on the Z80 architecture. This was probably also the badge with the highest hurdle to hackers, but you all came through with inventive hardware add-ons, but also a team that came through with a custom Linux OS running on this never-before-seen virtual environment, enabled by a hardware SDRAM cartridge hack.

And finally, even before the global supply crisis, even a tight-knit conference like ours could stock-out the world’s supply of a given component. The untold story of the 2016 Belgrade badge is that Voja Antonic bought out the world’s supply of Kingbright 8×8 common-cathode LED matrixes, and had to redesign the board in the last minute to incorporate the common-anode parts too. (Or was it vice-versa?) Lesson learned, the 2016 Supercon badge traded out the LED modules for discrete LEDs. Not gonna stock out on red LEDs.

So that’s a long-winded introduction to Thomas Flummer’s unofficial Remoticon 2 badges. With the parts crisis and a virtual conference, you’re on your own to source the badge. Splitting the freedom vs. in-built functionality problem like Samson, he’s got two boards — one a breadboard and the other fully populated. And like all his badges, they both look great. If you manage to get one made by Remoticon next week, be sure to show it off in the Bring-a-Hack. And if you don’t get it in time, bring it by in person to the 2022 Supercon!

Hackaday Podcast 144: Jigs Jigs Jigs, Fabergé Mic, Paranomal Electronics, And A 60-Tube Nixie Clock

November 12, 2021 by Mike Szczys 2 Comments

Hackaday editors Elliot Williams and Mike Szczys get caught up on the week that was. Two builds are turning some heads this week; one uses 60 Nixie tube bar graphs to make a clock that looks like the sun’s rays, the other is a 4096 RGB LED Cube (that’s 12,288 total diodes for those counting at home) that leverages a ton of engineering to achieve perfection. Speaking of perfection, there’s a high-end microphone built on a budget but you’d never know from the look and the performance — no wonder the world is now sold out of the microphone elements used in the design. After perusing a CNC build, printer filament dryer, and cardboard pulp molds, we wrap the episode talking about electronic miniaturization, radionic analyzers, and Weird Al’s computer.

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (55 MB)

Continue reading “Hackaday Podcast 144: Jigs Jigs Jigs, Fabergé Mic, Paranomal Electronics, And A 60-Tube Nixie Clock” →

This Week In Security: Unicode Strikes, NPM Again, And First Steps To PS5 Crack

November 12, 2021 by Jonathan Bennett 33 Comments

Maybe we really were better off with ASCII. Back in my day, we had space for 256 characters, didn’t even use 128 of them, and we took what we got. Unicode opened up computers to the languages of the world, but also opened an invisible backdoor. This is a similar technique to last week’s Trojan Source story. While Trojan Source used right-to-left encoding to manipulate benign-looking code, this hack from Certitude uses Unicode characters that appear to be whitespace, but are recognized as valid variable names.

const { timeout,ㅤ} = req.query;
Is actually:
const { timeout,\u3164} = req.query;

The extra comma might give you a clue that something is up, but unless you’re very familiar with a language, you might dismiss it as a syntax quirk and move on. Using the same trick again allows the hidden malicious code to be included on a list of commands to run, making a hard-to-spot backdoor.

The second trick is to use “confusable” characters like ǃ, U+01C3. It looks like a normal exclamation mark, so you wouldn’t bat an eye at if(environmentǃ=ENV_PROD){, but in this case, environmentǃ is a new variable. Anything in this development-only block of code is actually always enabled — imagine the chaos that could cause.

Neither of these are ground-breaking vulnerabilities, but they are definitely techniques to be wary of. The authors suggest that a project could mitigate these Unicode techniques by simply restricting their source code to containing only ASCII characters. It’s not a good solution, but it’s a solution. Continue reading “This Week In Security: Unicode Strikes, NPM Again, And First Steps To PS5 Crack” →