Hackaday Podcast 034: 15 Years Of Hackaday, ESP8266 Hacked, Hydrogen Seeps Into Cars, Giant Scara Drawbot, Really Remote RC Car Racing

September 6, 2019 by Mike Szczys 5 Comments

Elliot Williams and Mike Szczys wish Hackaday a happy fifteenth birthday! We also jump into a few vulns found (and fixed… ish) in the WiFi stack of ESP32/ESP8266 chips, try to get to the bottom of improved search for 3D printable CAD models, and drool over some really cool RC cars that add realism to head-to-head online racing. We look at the machining masterpiece that is a really huge SCARA arm drawbot, ask why Hydrogen cars haven’t been seeing the kind of sunlight that fully electric vehicles do, and give a big nod of approval to a guide on building your own custom USB cables.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Continue reading “Hackaday Podcast 034: 15 Years Of Hackaday, ESP8266 Hacked, Hydrogen Seeps Into Cars, Giant Scara Drawbot, Really Remote RC Car Racing” →

This Week In Security: Mass IPhone Compromise, More VPN Vulns, Telegram Leaking Data, And The Hack Of @Jack

September 6, 2019 by Jonathan Bennett 15 Comments

In a very mobile-centric installment, we’re starting with the story of a long-running iPhone exploitation campaign. It’s being reported that this campaign was being run by the Chinese government. Attack attribution is decidedly non-trivial, so let’s be cautious and say that these attacks were probably Chinese operations.

In any case, Google’s Project Zero was the first to notice and disclose the malicious sites and attacks. There were five separate vulnerability chains, targeting iOS versions 10 through 12, with at least one previously unknown 0-day vulnerability in use. The Project Zero write-up is particularly detailed, and really documents the exploits.

The payload as investigated by Project Zero doesn’t permanently install any malware on the device, so if you suspect you could have been compromised, a reboot is sufficient to clear you device.

This attack is novel in how sophisticated it is, while simultaneously being almost entirely non-targeted. The malicious code would run on the device of any iOS user who visited the hosting site. The 0-day vulnerability used in this attack would have a potential value of over a million dollars, and these high value attacks have historically been more targeted against similarly high-value targets. While the websites used in the attack have not been disclosed, the sites themselves were apparently targeted at certain ethnic and religious groups inside China.

Once a device was infected, the payload would upload photos, messages, contacts, and even live GPS information to the command & control infrastructure. It also seems that Android and Windows devices were similarly targeted in the same attack.

Telegram Leaking Phone Numbers

“By default, your number is only visible to people who you’ve added to your address book as contacts.” Telegram, best known for encrypted messages, also allows for anonymous communication. Protesters in Hong Kong are using that feature to organize anonymously, through Telegram’s public group messaging. However, a data leak was recently discovered, exposing the phone numbers of members of these public groups. As you can imagine, protesters very much want to avoid being personally identified. The leak is based on a feature — Telegram wants to automatically connect you to other Telegram users whom you already know.

By default, your number is only visible to people who you’ve added to your address book as contacts.

Telegram is based on telephone numbers. When a new user creates an account, they are prompted to upload their contact list. If one of the uploaded contacts has a number already in the Telegram system, those accounts are automatically connected, causing the telephone numbers to become visible to each other. See the problem? An attacker can load a device with several thousand phone numbers, connect it to the Telegram system, and enter one of the target groups. If there is a collision between the pre-loaded contacts and the members of the group, the number is outed. With sufficient resources, this attack could even be automated, allowing for a very large information gathering campaign.

In this case, it seems such a campaign was carried out, targeting the Hong Kong protesters. One can’t help but think of the first story we covered, and wonder if the contact data from compromised devices was used to partially seed the search pool for this effort.

The Hack of @Jack

You may have seen that Twitter’s CEO, Jack [@Jack] Dorsey’s Twitter account was hacked, and a series of unsavory tweets were sent from that account. This seems to be a continuing campaign by [chucklingSquad], who have also targeted other high profile accounts. How did they manage to bypass two factor authentication and a strong password? Cloudhopper. Acquired by Twitter in 2010, Cloudhopper is the service that automatically posts a user’s SMS messages to Twitter.

Rather than a username and password, or security token, the user is secured only by their cell phone number. Enter the port-out and SIM-swap scams. These are two similar techniques that can be used to steal a phone number. The port-out scam takes advantage of the legal requirement for portable phone numbers. In the port-out scam, the attacker claims to be switching to a new carrier. A SIM-swap scam is convincing a carrier he or she is switching to a new phone and new SIM card. It’s not clear which technique was used, but I suspect a port-out scam, as Dorsey hadn’t gotten his cell number back after several days, while a SIM swap scam can be resolved much more quickly.

Google’s Bug Bounty Expanded

In more positive news, Google has announced the expansion of their bounty programs. In effect, Google is now funding bug bounties for the most popular apps on the Play store, in addition to Google’s own code. This seems like a ripe opportunity for aspiring researchers, so go pick an app with over 100 million downloads, and dive in.

An odd coincidence, that 100 million number is approximately how many downloads CamScanner had when it was pulled from the Play store for malicious behavior. This seems to have been caused by a third party advertisement library.

Updates

Last week we talked about Devcore and their VPN Appliance research work. Since then, they have released part 3 of their report. Pulse Secure doesn’t have nearly as easily exploited vulnerabilities, but the Devcore team did find a pre-authentication vulnerability that allowed reading arbitraty data off the device filesystem. As a victory lap, they compromised one of Twitter’s vulnerable devices, reported it to Twitter’s bug bounty program, and took home the highest tier reward for their trouble.

3D Printering: The Search For Better Search

September 5, 2019 by Tom Nardi 48 Comments

There’s no question that a desktop 3D printer is at its most useful when it’s producing parts of your own design. After all, if you’ve got a machine that can produce physical objects to your exacting specifications, why not give it some? But even the most diligent CAD maven will occasionally defer to an existing design, as there’s no sense spending the time and effort creating their own model if a perfectly serviceable one is already available under an open source license.

But there’s a problem: finding these open source models is often more difficult than it should be. The fact of the matter is, the ecosystem for sharing 3D printable models is in a very sorry state. Thingiverse, the community’s de facto model repository, is antiquated and plagued with technical issues. Competitors such as Pinshape and YouMagine are certainly improvements on a technical level, but without the sheer number of models and designers that Thingiverse has, they’ve been unable to earn much mindshare. When people are looking to download 3D models, it stands to reason that the site with the most models will be the most popular.

It’s a situation that the community is going to have to address eventually. As it stands, it’s something of a minor miracle that Thingiverse still exists. Owned and operated by Makerbot, the company that once defined the desktop 3D printer but is today all but completely unknown in a market dominated by low-cost printers from the likes of Monoprice and Creality, it seems only a matter of time before the site finally goes dark. They say it’s unwise to put all of your eggs in one basket, and doubly so if the basket happens to be on fire.

So what will it take to get people to consider alternatives to Thingiverse before it’s too late? Obviously, snazzy modern web design isn’t enough to do it. Not if the underlying service operates on the same formula. To really make a dent in this space, you need a killer feature. Something that measurably improves the user experience of finding the 3D model you need in a sea of hundreds of thousands. You need to solve the search problem.

Continue reading “3D Printering: The Search For Better Search” →

BornHack 2019, A Laid-Back Hacker Camp In A Danish Forest

September 4, 2019 by Jenny List 11 Comments

This is a fantastic summer for hacker camps and I was very happy to make it to BornHack this year. This week-long camp attracts hackers from all over Europe and the mix of a few hundred friends and soon-to-be friends who gathered on the Danish island of Fyn delivered a unique experience for the curious traveller.

The camp takes place at the Hylkedam Danish scout camp, located in a forest amid the rolling Danish famland not too far from the small town of Gelsted. It’s a few kilometres from a motorway junction, but easy enough to find after the long haul up from the UK via the Channel Tunnel. As an aside, every bored cop between France and the Danish border wanted to stop my 20-year-old right-hand-drive Volkswagen on UK plates, but soon lost interest after walking up to the passenger side and finding no driver. It seems Brits are considered harmless, which is good to hear. Continue reading “BornHack 2019, A Laid-Back Hacker Camp In A Danish Forest” →

Clean Water Technologies Hack Chat

September 3, 2019 by Dan Maloney 2 Comments

Join us on Wednesday, September 4th at noon Pacific for the Clean Water Technologies Hack Chat with Ryan Beltrán!

Access to clean water is something that’s all too easy to take for granted. When the tap is turned, delivering water that won’t sicken or kill you when you drink it, we generally stop worrying. But for millions around the world, getting clean water is a daily struggle, with disease and death often being the penalty for drinking from a compromised source. Thankfully, a wide range of water technologies is available to help secure access to clean water. Most are expensive, though, especially at the scale needed to supply even a small village.

Seeing a need to think smaller, Ryan started MakeWater.org, a non-profit program that seeks to give anyone the power to make clean water through electrocoagulation, or the use of electric charge to precipitate contaminants from water. There’s more to MakeWater than electrocoagulation kits, though. By partnering with STEM students and their teachers, MakeWater seeks to crowdsource improvements to the technology, incorporating student design changes into the next version of the kit. They also hope to inspire students to develop the skills they need to tackle real-world problems and make a difference in the lives of millions.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, September 4 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Hackaday Links: September 1, 2019

September 1, 2019 by Dan Maloney 10 Comments

The sun may be spotless, but that doesn’t mean it isn’t doing interesting things. A geomagnetic storm is predicted for this weekend, potentially giving those at latitudes where the Northern Lights are not common a chance to see a cosmic light show. According to SpaceWeather.com, a coronal hole, a gap in the sun’s atmosphere that can let the solar wind escape, is about to line up with Earth. The last time this hole was on the Earth-facing side of the sun, the resultant storm gave aurora as far south as Colorado. So if you’re in any of the northern tier states, you might want to find somewhere with dark skies and a good view to the north this weekend.

It’s not only space weather that’s in the news, but weather-weather too. Hurricane Dorian will probably make landfall as a Category 4 storm, probably along Florida’s Atlantic coast, and probably in the middle of the night on Monday. That’s a lot of uncertainty, but one thing’s for sure: amateur radio operators will be getting into the action. The Hurricane Watch Net will activate their net for Dorian on Saturday afternoon at 5:00 PM Eastern time, ready to take reports from stations in the affected area. Not a ham? You can still listen to the live feed once the net activates.

Hams aren’t the only ones getting geared up for Dorian, though. Weather satellite enthusiasts are pointing their SDRs at the sky and grabbing some terrifyingly beautiful pictures of Dorian as it winds up. Some of the downloaded images are spectacular, and if you’ve got an SDR dongle and a couple of pieces of coat hanger wire, you too can spy on Dorian from any number of satellites.

Speaking of which, over on r/RTLSDR, someone has done a little data mining and shown that NOAA 15 is still very much alive. u/amdorj plotted the scan motor current draw and found that it steadily decreased over time, possibly indicating that the bearings aren’t as worn as previously thought. We recently covered the story of the plucky satellite that’s almost two decades past its best-by date; here’s hoping our report on its death was greatly exaggerated.

In one of the weirder bits of marketing we’ve seen lately, NASA decided to name a rock on Mars after septuagenarian rockers The Rolling Stones. The golf ball size rock was blasted about a meter across the Martian landscape when the Mars InSight lander touched down in 2018, leaving a small scar in the dust. The stone had obviously rolled, so phone calls were made and one thing led to another, and before you know it, Robert Downey Jr. is making the announcement before a Stones concert at the Rose Bowl, right in JPL’s backyard. There’s even a cute animation to go along with it. It’s a nice piece of marketing, but it’s not the first time the Stones have been somewhat awkwardly linked to the technology world. We dare you not to cringe.

We’ll finish up today with something not related to space. As Al Williams recently covered, for about fifty bucks you can now score a vector network analyzer (VNA) that will do all sorts of neat RF tricks. The NanoVNA sounds like a great buy for anyone doing RF work, but its low price point and open-source nature mean people are finding all kinds of nifty uses for it. One is measuring the length of coax cables with time-domain reflectometry, or TDR. Phasing antenna arrays? the NanoVNA sounds like the perfect tool for the job.

Hackaday Podcast 033: Decompressing From Camp, Nuclear Stirling Engines, Carphone Or Phonecar, And ArduMower

August 30, 2019 by Mike Szczys 4 Comments

Hackaday Editors Mike Szczys and Elliot Williams are back from Chaos Communication Camp, and obviously had way too much fun. We cover all there was to see and do, and dig into the best hacks from the past week. NASA has a cute little nuclear reactor they want to send to the moon, you’ve never seen a car phone quite like this little robot, and Ardupilot (Ardurover?) is going to be the lawn mowing solution of the future. Plus you need to get serious about debugging embedded projects, and brush up on your knowledge of the data being used to train facial recognition neural networks.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)