Best Buy’s IoT Goes Dark, Leaving Some “Smart” Products Dumbfounded

November 14, 2019 by Al Williams 95 Comments

Bad news if you bought several Insignia-branded smart devices from Best Buy. The company has decided to shut down the back end systems that make them work — or at least work as a smart device. On the chopping block are smart outlets, switches, a security camera, and an upright freezer. If you bought, say, the freezer, it will still keep things cold. But the security camera will apparently be of no use at all now that the backend systems have gone dark. The company is offering an unspecified partial refund to users of the affected devices.

Best Buy announced this in September, and the shutdown date was last week on November 6th. Not all Insignia products are impacted, just the ones that rely on their app.

Anytime we talk about cloud-based technology, there are always a few people who say something like, “I’ll never rely on anything in the cloud!” Perhaps they have a point — certainly in this case they were right. There are really two things to consider: hardware devices that rely on the cloud, and data that resides in the cloud. In some cases, one product — like a camera — might have both.

Continue reading “Best Buy’s IoT Goes Dark, Leaving Some “Smart” Products Dumbfounded” →

Ask Hackaday: Is Anyone Sad Phone VR Is Dead?

November 13, 2019 by Donald Papp 92 Comments

It’s official: smartphone-based VR is dead. The two big players in this space were Samsung Gear VR (powered by Oculus, which is owned by Facebook) and Google Daydream. Both have called it quits, with Google omitting support from their newer phones and Oculus confirming that the Gear VR has reached the end of its road. Things aren’t entirely shut down quite yet, but when it does it will sure leave a lot of empty headsets laying around. These things exist in the millions, but did anyone really use phone-based VR? Are any of you sad to see it go?

Google Cardboard, lowering cost and barrier to entry about as low as it could go.

In case you’re unfamiliar with phone-based VR, this is how it works: the user drops their smartphone into a headset, puts it on their head, and optionally uses a wireless controller to interact with things. The smartphone takes care of tracking motion and displaying 3D content while the headset itself takes care of the optics and holds everything in front of the user’s eyeballs. On the low end was Google Cardboard and on the higher end was Daydream and Gear VR. It works, and is both cheap and portable, so what happened?

In short, phone-based VR had constraints that limited just how far it could go when it came to delivering a VR experience, and these constraints kept it from being viable in the long run. Here are some of the reasons smartphone-based VR hit the end of the road: Continue reading “Ask Hackaday: Is Anyone Sad Phone VR Is Dead?” →

Review: Ear Wax Cleaning Cameras As Cheap Microscopes, We Take A Closer Look

November 11, 2019 by Jenny List 50 Comments

Those of us who trawl the world of cheap imported goods will most often stay in our own comfortable zones as we search for new items to amaze and entertain us. We’ll have listings of electronic goods or tools, and so perhaps miss out on the scores of other wonders that can be ours for only a few dollars and a week or two’s wait for postage.

Who knew sticky ears were such big business!

Just occasionally though something will burst out of another of those zones and unexpectedly catch our eye, and we are sent down an entirely new avenue in the global online supermarket.

Thus it was that when a few weeks ago I was looking for an inspection camera I had a listing appear from the world of personal grooming products. It seems that aural hygiene is a big market, and among the many other products devoted to it is an entire category of ear wax removal tools equipped with cameras. These can get you up close and personal with your ear canal, presumably so you can have a satisfying scoop at any accumulated bodily goop. I have a ton of electronics-related uses for a cheap USB close-up camera so I bought one of these so I could — if you’ll excuse the expression — get a closer look.

Continue reading “Review: Ear Wax Cleaning Cameras As Cheap Microscopes, We Take A Closer Look” →

Hackaday Links: November 10, 2019

November 10, 2019 by Dan Maloney 11 Comments

In the leafy suburbs of northern Virginia, a place ruled by homeowner’s associations with tremendous power to dictate everything from the color of one’s front door to the length of grass in the lawn, something as heinous as garage doors suddenly failing to open on command is sure to cause a kerfuffle. We’ve seen this sort of thing before, where errant RF emissions cause unintentional interference, and such stories aren’t terribly interesting because the FCC usually steps in and clears things up. But this story is a little spicier given the source of the interference: Warrenton Training Center, a classified US government communications station located adjacent to the afflicted neighborhood. WTC is known to be a CIA signals intelligence station, home to spooks doing spooky stuff, including running high-power numbers stations. The interference isn’t caused by anything as cloak-and-dagger as that, though; rather, it comes from new land-mobile radios that the Department of Defense is deploying. The new radios use the 380-400 MHz band, which is allocated to the Federal Government and unlicensed Part 15 devices, like garage door remotes. But Part 15 rules, which are clearly printed on every device covered by them, state that the devices have to accept unwanted interference, even when it causes a malfunction. So the HOA members who are up in arms and demanding that the government buy them new garage door openers are likely to be disappointed.

Speaking of spooks, if you’re tired of the prying electronic eyes of facial recognition cameras spoiling your illusion of anonymity, have we got a solution for you. The Opt-Out Cap is the low-tech way to instantly change your face for a better one, or at least one that’s tied to someone else. In a move which is sure not to arouse suspicion in public, doffing the baseball cap deploys a three-piece curtain of semi-opaque fabric, upon which is printed the visage of someone who totally doesn’t look creepy or sketchy in any way. Complete instructions are provided if you want to make one before your next trip to the ATM.

It’s always a great day when a new Ken Shirriff post pops up in our feed, and his latest post is no exception. In it, Ken goes into great detail about the history of the 80×24 (or 25) line standard for displays. While that may sound a bit dry, it’s anything but. After dispelling some of the myths and questionable theories of the format’s origin – sorry, it’s not just because punch cards had 80 columns – he discusses the transition from teletypes to CRTs, focusing on the very cool IBM 2260 Display Station. This interesting beast used an acoustic delay line made of 50′ (15 m) of nickel wire. It stored data as a train of sound pulses traveling down the wire, which worked well and was far cheaper than core memory, even if it was susceptible to vibrations from people walking by it and needed a two-hour warm-up period before use. It’s a fascinating bit of retrocomputing history.

A quick mention of a contest we just heard about that might be right up your alley: the Tech To Protect coding challenge is going on now. Focused on applications for public safety and first responders, the online coding challenge addresses ten different areas, such as mapping LTE network coverage to aid first responders or using augmented reality while extricating car crash victims. It’s interesting stuff, but if you’re interested you’ll have to hurry – the deadline is November 15.

And finally, Supercon starts this week! It’s going to be a blast, and the excitement to hack all the badges and see all the talks is building rapidly. We know not everyone can go, and if you’re going to miss it, we feel for you. Don’t forget that you can still participate vicariously through our livestream. We’ll also be tweet-storming and running a continuous chat on Hackaday.io to keep everyone looped in.

Hackaday Podcast 043: Ploopy, Castlevania Cube-Scroller, Projection Map Your Face, And Smoosh Those 3D Prints

November 8, 2019 by Mike Szczys No comments

Before you even ask, it’s an open source trackball and you’re gonna like it. Hackaday Editors Mike Szczys and Elliot Williams get down to brass tacks on this week’s hacks. From laying down fatter 3D printer extrusion and tricking your stick welder, to recursive Nintendos and cubic Castlevania, this week’s episode is packed with hacks you ought not miss.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Continue reading “Hackaday Podcast 043: Ploopy, Castlevania Cube-Scroller, Projection Map Your Face, And Smoosh Those 3D Prints” →

This Week In Security: BGP Bogons, Chrome Zero Day, And Save Game Attacks

November 8, 2019 by Jonathan Bennett 24 Comments

Our own [Pat Whetman] wrote about a clever technique published by the University of Michigan, where lasers can be used to trigger a home assistant device. It’s an interesting hack, and you should go read it.

Borrowing IP Addresses

We’ve lived through several IPv4 exhaustion milestones, and the lack of available addresses is really beginning to show, even for trolls and scammers. A new approach takes advantage of the weak security of the Border Gateway Protocol, and allows bad actors to temporarily take over reserved address blocks. These particular providers operate out of Russia, operating network services they advertise as “bulletproof”, or immune to takedown requests. What better way to sidestep takedowns than to use IP addresses that aren’t really yours to begin with?

BGP spoofing has been at the center of other types of attacks and incidents, like in 2018 when a misconfiguration in a Nigerian ISP’s BGP tables routed traffic intended for Google’s servers through Chinese and Russian infrastructure. In that case it appeared to be a genuine mistake, but little prevents malicious BGP table poisoning.

Chrome Zero-day

Google released an update to Chrome on the 31st that addresses two CVEs, one of which is being actively exploited. That vulnerability, CVE-2019-13720, is a race condition resulting in a potential use-after-free. Kaspersky Labs found this one being actively used on a Korean news site. The attack runs entirely from Javascript, and simply visiting a malicious site is enough for compromise, so update Chrome if it’s installed.

Anti-anti-doping

What do you do when you feel you’ve been unfairly targeted by an anti-doping investigation? Apparently hacking the investigating agency and releasing stolen information is an option. It seems like this approach is more effective when there are shenanigans revealed in the data dump. In this case, the data being released seems rather mundane.

Firefox Blocking Sideload Extensions

Mozilla made a controversial announcement on the 31st. They intend to block “sideload” browser extensions. Until this change, it was possible to install browser extensions by copying them to a particular folder on the computer. Some legitimate extensions used this installation method, but so did malware, adware, and other unwanted software. While this change will block some malicious add-ons, it does present a bit of a challenge to a user installing an extension that isn’t on the official Mozilla store or signed by Mozilla.

As you might imagine, the response has been… less than positive. While making malware harder to install is certainly welcome, this makes some use cases very difficult. An example that comes to mind is a Linux package that includes a browser extension. It remains to be seen exactly how this change will shake out.

Save Games as Attack Vector

An oddball vulnerability caught my eye, published by [Denis Andzakovic] over at Pulse Security. He discovered that a recent indy game, Untitled Goose Game, can be manipulated into running arbitrary code as a result of loading a maliciously modified save file. The vulnerability is rooted in a naive deserialization routine.

If you’re interested in a deeper dive into .net deserialization bugs, a great paper was submitted to Blackhat 2012 discussing the topic. The short version is that if a programmer isn’t careful, the deserialization routine can overwrite variables in unexpected ways, potentially leading to code execution.

At first glance, a vulnerability triggered by a malicious save file seems relatively harmless. The level of access needed to modify a save file on a hard drive is enough to compromise that computer in a multitude of better ways. Enter cloud save synchronization. Steam, for instance, will automatically sync save games across a user’s install locations. This is a very useful feature for those of us that might play the same game on a laptop and a desktop. Having the save game automatically synced to all your devices is quite useful, but if an attacker compromised your Steam account, your save games could be manipulated. This leads to the very real possibility that an attacker could use a save game vulnerability to turn a Steam account compromise into an attack on all your machines with Steam installs.

Found Footage: Elliot Williams Talks Nexus Technologies

November 7, 2019 by Tom Nardi 25 Comments

Back at the 2017 Superconference, Hackaday Managing Editor Elliot Williams started his talk about the so-called “Internet of Things” by explaining the only part he doesn’t like about the idea is the Internet… and the things. It’s a statement that most of us would still agree with today. If anything, the situation has gotten worse in the intervening years. Commercial smart gadgets are now cheaper and more plentiful than they’ve ever been, but it seems like precious little has been done to improve their inherent privacy and security issues.

But his talk doesn’t serve to bash the companies producing these devices or even the services that ultimately folded and left their customers with neigh useless gadgets. That’s not his style. The central theme of “Nexus Technologies: Or How I Learned to Love WiFi” is that a smart home can be wonderful thing, assuming it works the way you want it to. Elliot argues that between low-cost modular hardware and open source software, the average hacker has everything they need to build their own self-contained home automation ecosystem. One that’s not only cheaper than what they’re selling at the Big Box electronics store, but also doesn’t invite any of the corporate giants to the party.

Of course, it wasn’t always so. A decade ago it would have been all but impossible, and five years ago it would have been too expensive to be practical. As Elliot details his journey towards a truly personal smart home, he explains the advances in hardware and software that have made it not just possible on the DIY level, but approachable. The real takeaway is that once more people realize how cheap and easy it is to roll your own smart home gadgets, they may end up more than willing to kick Big Brother to the curb and do IoT on their own terms.

This previously unpublished recording somehow slipped between the cracks of the editing room floor but upon recent discovery, it’s still just as relevant today. Take a look at Elliot’s view on Nexus Technologies, then join us after the break for a deeper dive. Make sure to subscribe to Hackaday’s YouTube channel to get in on the 2019 Hackaday Superconference live stream starting Saturday, November 16th.