This Week In Security: Insecure Chargers, Request Forgeries, And Kernel Security

August 6, 2021 by Jonathan Bennett 13 Comments

The folks at Pen Test Partners decided to take a look at electric vehicle chargers. Many of these chargers are WiFi-connected, and let you check your vehicle’s charge state via the cloud. How well are they secured? Predictably, not as well as they could be.

The worst of the devices tested, Project EV, didn’t actually have any user authentication on the server side API. Knowing the serial number was enough to access the account and control the device. The serial numbers are predictable, so taking over every Project EV charger connected to the internet would have been trivial. On top of that, arbitrary firmware could be loaded remotely onto the hardware was possible, representing a real potential problem.

The EVBox platform had a different problem, where an authenticated user could simply specify a security role. The tenantadmin role was of particular interest here, working as a superadmin that could see and manage multiple accounts. This flaw was patched within an impressive 24 hours. The ~~EVBox charger~~, as well as several other devices they checked had fundamental security weaknesses due to their use of Raspberry Pi hardware in the product. Edit: The EVBox was *not* one of the devices using the Pi in the end product.

Wait, What About the Raspberry Pi?

Apparently the opinion that a Raspberry Pi didn’t belong in IoT hardware caught Pen Test Partners some flack, because a few days later they published a follow-up post explaining their rationale. To put it simply, the Pi can’t do secure boot, and it can’t do encrypted storage. Several of the flaws they found in the chargers mentioned above were discovered because the device filesystems were wide open for inspection. A processor that can handle device encryption, ideally better than the TPM and Windows Bitlocker combination we covered last week, gives some real security against such an attack. Continue reading “This Week In Security: Insecure Chargers, Request Forgeries, And Kernel Security” →

Linux Fu: The Windows X11 Connection

August 5, 2021 by Al Williams 38 Comments

The life of a Linux user can be a bit difficult. Sometimes you have to — or want to — run Windows. Why Windows? Sometimes you have a work computer or a laptop that Linux doesn’t support well. Or it might be software. Although there are plenty of programs that can edit, say, Word documents, there’s always that one document that doesn’t quite translate correctly. Things like videoconferencing software sometimes works on Linux but might have fewer features.

So what do you do? You can dual boot, of course, but that’s not very handy. You can run Windows in a virtual machine if you have enough horsepower. There’s also Wine, but that often has its own set of problems with features and stability of complex programs. However, recent versions of Windows provide the Windows Subsystem for Linux (WSL).

With WSL, you can have most of what you like about Linux inside your Windows session. You just have to know how to set it up, and I’m going to show you one way that works for me with reasonably stable versions of Windows 10. Continue reading “Linux Fu: The Windows X11 Connection” →

We’re Hiring: Come Join Us!

August 4, 2021 by Mike Szczys 11 Comments

You wake up in the morning, and check Hackaday over breakfast. Then it’s off to work or school, where you’ve already had to explain the Jolly Wrencher to your shoulder-surfing colleagues. And then to a hackspace or back to your home lab, stopping by the skull-and-cross-wrenches while commuting, naturally. You don’t bleed red, but rather #F3BF10. It’s time we talked.

The Hackaday writing crew goes to great lengths to cover all that is interesting to engineers and enthusiasts. We find ourselves stretched a bit thin and it’s time to ask for help. Want to lend a hand while making some extra dough to plow back into your projects? We’re looking for contributors to write a few articles per week and keep the Hackaday flame burning.

Contributors are hired as private contractors and paid for each article. You should have the technical expertise to understand the projects you write about, and a passion for the wide range of topics we feature. You’ll have access to the Hackaday Tips Line, and we count on your judgement to help us find the juicy nuggets that you’d want to share with your hacker friends.

If you’re interested, please email our jobs line (jobs at hackaday dot com) and include:

One example article written in the voice of Hackaday. Include a banner image, at least 150 words, the link to the project, and any in-links to related and relevant Hackaday features. We need to know that you can write.
Details about your background (education, employment, interests) that make you a valuable addition to the team. What do you like, and what do you do?
Links to your blog/project posts/etc. that have been published on the Internet, if any.

What are you waiting for? Ladies and Gentlemen, start your applications!

Inputs Of Interest: SafeType™ Vertical Keyboard With Mirrors Puts Pain In The Rear-View

August 4, 2021 by Kristina Panos 11 Comments

Yep, this keyboard is another ebay special. I can’t stay away! This is a SafeType™ V801 from probably the early 2000s, although there is no date on it anywhere. I’m basing my guess on the fact that there are so many media buttons. I’ve been eyeing these weirdo mirrored keebs for a while, and when I saw how cheaply this one was going for, I had to have it. That’s just how it goes. I was really excited to clack on it and I’m only marginally disappointed by it. But I can tell you that if my Kinesis were to suddenly die, I would probably reach for this keyboard until the new one showed up.

Yes, mirrors on a keyboard are weird. But if you can’t touch-type the numerals and F keys, they’re absolutely necessary.

So, why does it look like this? There are varying levels of ergonomics when it comes to keyboards. This one fights strongly against wrist pronation and forces you into a position that helps the shoulders and neck as well. You’d think it would be weird to hold your arms aloft at right angles, but it’s actually not that strange in practice because you’re pressing inward to type, kind of like playing an accordion or something.

The weird part is looking in the rear-view mirrors to accurately hit the numerals and F keys, though I’ll be honest: in my test drives, I found myself using the mirrors mostly to make sure my hands were on the home row. And that’s with three homing protrusions apiece on F and J! More about that later.

So yes, some of the keycap legends are backwards so you can read them in the mirror. If you don’t like using the numeral row, there’s a num pad in the center, along with the Home/End cluster, a quartet of comically large arrow keys, and a boatload of dedicated media and program launch buttons. All the buttons in the middle are fairly awkward to reach because you must either pull your hand down and around the bottom, or else go over the top. Continue reading “Inputs Of Interest: SafeType™ Vertical Keyboard With Mirrors Puts Pain In The Rear-View” →

AND!XOR’s DEF CON 29 Electronic Badge Is An Assembly Puzzle

August 2, 2021 by Mike Szczys 3 Comments

For years I’ve looked forward to seeing each new unofficial hardware badge that comes out of the #Badgelife powerhouse known as AND!XOR. A mix of new and interesting components, alternate-reality game, and memes, you never know what they’re going to throw down.

A bubble pack landed on my desk on Thursday with the newest offering, the AND!XOR electronic badge built for DEF CON 29, happening this weekend as a hybrid in-person and online conference. While each previous year upped the ante on complexity and manufacturing magic tricks, it’s no surprise considering the uncertainty of both the global pandemic and global chip shortage that they took a different tack. What we have here is a badge hacking puzzle that challenges you to just figure out how to put the thing together!

Continue reading “AND!XOR’s DEF CON 29 Electronic Badge Is An Assembly Puzzle” →

Hackaday Links: August 1, 2021

August 1, 2021 by Dan Maloney 27 Comments

Amateur radio operators have a saying: When all else fails, there’s ham radio. And that’s true, at least to an extent — knock out the power, tear down the phone lines, and burn up all the satellites in orbit, and there will still be hams talking about politics on 40 meters. The point is, as long as the laws of physics don’t change, hams will figure out a way to send and receive messages. In honor of that fact, the police in the city of Pune in Maharashtra, India, make it a point to exchange messages with their headquarter using Morse code once a week. The idea is to maintain a backup system, in case they can’t get a message through any other way. It’s a good idea, especially since they rotate all their radio operators through the Sunday morning ritual. We can’t imagine that most emergency services dispatchers would be thrilled about learning Morse, though.

Just because you’re a billionaire with a space company doesn’t mean you’re an astronaut. At least that’s the view of the US Federal Aviation Administration, which issued guidelines pretty much while Jeff Bezos and his merry band of cohorts were floating about above the 100-km high Kármán line in a Blue Origin “New Shepard” rocket. The FAA guidelines make it clear that those making the trip need to have actually done something to qualify as an astronaut, by “demonstrated activities during flight that were essential to public safety, or contributed to human space flight safety.” That’s good news to the “Old Shepard”, who clearly was in control of “Freedom 7” during the Mercury program. But the Bezos brothers, teenager Oliver Daemen, and Wally Funk, one of the “Mercury 13” group of women who trained to be NASA astronauts but never got to fly, were really just along for the ride, as the entire flight was automated. It doesn’t take away from the fact that they’ve been to space and you haven’t, of course, but they can’t officially call themselves astronauts. This goes to show that even billionaires can just be ballast too.

Good news, everyone — if you had anything that was being transported aboard the Ever Given, your stuff is almost there. The Suez Canal-occluding container ship finally made it to its original destination in Rotterdam, approximately four months later than originally predicted. After plugging up the vital waterway for six days last March, the ship along with her cargo and her crew were detained in Egypt’s Great Bitter Lake, perhaps the coolest sounding body of water in the world next to the Dead Sea. Legal squabbling ensued at that point, all the while rendering whatever was in the 20,000-odd containers aboard the ship pretty much pointless. We’d imagine that even with continuous power, whatever was in the refrigerated containers must be pretty nasty by now, so there’s probably a lot of logistics and clean-up left to sort out.

I have to admit that I have a weird love of explosive bolts. I don’t know what it is, but the idea of fasteners engineered to fail in a predictable way under the influence of pyrotechnic charges just tickles something in me. I mean, I even wrote a whole article on the subject once. So when I came across this video explaining how the Space Shuttles were held to the launch pad, I really had to watch it. Surprisingly, the most interesting part of this story was not the explosive aspect, but the engineering problem of supporting the massive vehicle on the launch pad. For as graceful as the Shuttles seemed once they got into orbit, they really were ungainly beasts, especially strapped to the external fuel tank and booster. The scale of the eight frangible nuts used to secure the boosters to the pad is just jaw-dropping. We also liked the idea that NASA decided to catch the debris from the explosions in a container filled with sand.

Retrotechtacular: Understanding Protein Synthesis Through Interpretive Dance

August 1, 2021 by Dan Maloney 8 Comments

With the principles of molecular biology very much in the zeitgeist these days, we thought it would be handy to provide some sort of visual aid to help our readers understand the complex molecular machines at work deep within each cell of the body. And despite appearances, this film using interpretive dance to explain protein synthesis will teach you everything you need to know.

Now, there are those who go on and on about the weirdness of the 1960s, but as this 1971 film from Stanford shows, the 60s were just a warm-up act for the really weird stuff. The film is a study in contrasts, with the setup being provided by the decidedly un-groovy Paul Berg, a professor of biochemistry who would share the 1980 Nobel Prize in Medicine for his contributions to nucleic acid research. His short sleeves and skinny tie stand in stark contrast to the writhing mass of students capering about on a grassy field, acting out the various macromolecules involved in protein synthesis. Two groups form the subunits of the ribosome, a chain of ballon-headed students act as the messenger RNA (mRNA) that codes for a protein, and little groups standing in for the transfer RNA (tRNA) molecules that carry the amino acids float in and out of the process.

The level of detail, at least as it was understood in 1971, is impressively complete, with soloists representing things like T-factor and the energy-carrying molecule GTP. And while we especially like the puff of smoke representing GTP’s energy transfer, we strongly suspect a lot of other smoke went into this production.

Kitsch aside, and with apologies to Lewis Carroll and his Jabberwock, you’ll be hard-pressed to find a modern animation that captures the process better. True, a more traditional animation might make the mechanistic aspects of translation clearer, but the mimsy gyre and gimble of this dance really emphasize the role random Brownian motion plays in macromolecular processes. And you’ll never see the term “tRNA” and not be able to think of this film.

Continue reading “Retrotechtacular: Understanding Protein Synthesis Through Interpretive Dance” →