Most readers will be familiar with the ESP32, Espressif’s dual-core processor with integrated WiFi and Bluetooth. Few of us though will have explored all of its features, including its built-in encryption facilities and secure booting capability. With these, a developer can protect and secure their code, and keep their devices secure.
That sense of security may now be illusory though, thanks to [LimitedResults] who has developed a series of attacks on the chip that compromise its crypto core, secure boot, and flash encryption. This enables both the chance of arbitrary code execution and firmware extraction on locked-down ESP32 devices.
To achieve all this he used a glitching technique on the device’s power supply, inserting a carefully timed glitch in the rail to coincide with a particular instruction being executed. For those of us who are not experts in this technique, he provides a basic primer with a description of his home-made glitcher made using a CMOS switch chip.
It appears that there is no solution to this attack short of new silicon, however, it should be borne in mind that it’s something that depends upon a specialist hacker with a well-equipped bench, and is thus only likely to be a significant headache to manufacturers. But it undermines a key feature of a major line of microcontrollers, and as such it remains a significant piece of work.
An issue was discovered in libarchivethrough Google’s ClusterFuzz project. Libarchive is a compression and decompression library, widely used in utilities. The issue here is how the library recovers from a malformed archive. Hitting an invalid header causes the memory in use to be freed. The problem is that it’s possible for file processing to continue even after that working memory has been freed, leading to all kinds of problems. So far an actual exploit hasn’t been revealed, but it’s likely that one is possible. The problem was fixed back in May, but the issue was just announced to give time for that update to percolate down to users.
Bad news if you bought several Insignia-branded smart devices from Best Buy. The company has decided to shut down the back end systems that make them work — or at least work as a smart device. On the chopping block are smart outlets, switches, a security camera, and an upright freezer. If you bought, say, the freezer, it will still keep things cold. But the security camera will apparently be of no use at all now that the backend systems have gone dark. The company is offering an unspecified partial refund to users of the affected devices.
Best Buy announced this in September, and the shutdown date was last week on November 6th. Not all Insignia products are impacted, just the ones that rely on their app.
Anytime we talk about cloud-based technology, there are always a few people who say something like, “I’ll never rely on anything in the cloud!” Perhaps they have a point — certainly in this case they were right. There are really two things to consider: hardware devices that rely on the cloud, and data that resides in the cloud. In some cases, one product — like a camera — might have both.
Probably the most efficient way to convert solar energy into electricity is the old fashioned way, heating water into steam and turning a turbine. This remains a messy affair though and you don’t really want a steam boiler on your roof, so solar cells are popular. However, there’s some new research showing how a molecule can absorb solar energy, store it, and then release the heat on demand years later. This could offer new ways to collect and even transport solar power. This new molecule, derived from azobenzene, holds immense promise to change the way we work with solar power.
For all the successes of modern weather forecasting, where hurricanes, blizzards, and even notoriously unpredictable tornadoes are routinely detected before they strike, reliably predicting one aspect of nature’s fury has eluded us: earthquakes. The development of plate tectonic theory in the middle of the 20th century and the construction of a worldwide network of seismic sensors gave geologists the tools to understand how earthquakes happened, and even provided the tantalizing possibility of an accurate predictor of a coming quake. Such efforts had only limited success, though, and enough false alarms that most efforts to predict earthquakes were abandoned by the late 1990s or so.
It may turn out that scientists were looking in the wrong place for a reliable predictor of coming earthquakes. Some geologists and geophysicists have become convinced that instead of watching the twitches and spasms of the earth, the state of the skies above might be more fruitful. And they’re using the propagation of radio waves from both space and the ground to prove their point that the ionosphere does some interesting things before and after an earthquake strikes.
Considering that it’s only existed for around a decade, the commercial desktop 3D printing market has seen an exceptional amount of turnover. But then, who could resist investing in an industry that just might change the world? It certainly didn’t hurt that the MakerBot Cupcake, arguably the first “mass market” desktop 3D printer, was released the same month that Kickstarter went live. We’ve long since lost count of the failed 3D printer companies that have popped up in the intervening years. This is an industry with only a handful of remaining veterans.
One of the few that have been with us since those heady early days is LulzBot, founded in 2011 by parent company Aleph Objects. Their fully open source workhorses are renowned for their robust design and reliability, though their high prices have largely kept them off the individual hacker’s bench. LulzBot was never interested in the race to the bottom that gave birth to the current generation of sub-$200 printers. Their hardware was always positioned as a competitor to the likes of Ultimaker and MakerBot, products where quality and support are paramount above all else.
NASA’s modified LulzBot
While LulzBot printers never made an impact on the entry-level market, there are institutions willing to purchase a highly dependable American-made 3D printer regardless of cost. The United States Marines used LulzBot printers to produce replacement Humvee door handles in the field, and some of the modifications that were necessary to meet their stringent requirements eventually resulted in updates to the consumer version of the printer. NASA used a highly modified LulzBot TAZ 4 to print PEI at temperatures as high as 500°C, producing parts far stronger than anything that had previously been made on a desktop 3D printer.
Yet despite such auspicious customers, LulzBot has fallen on difficult times. Consumers have made it abundantly clear they aren’t willing to pay more than $1,000 for a desktop printer, and competition above that price point is particularly fierce. Last month we started hearing rumblings in the Tip Line that the vast majority of LulzBot staff were slated to be let go, and we soon got confirmation and hard numbers from local media. Of the company’s 113 employees, only 22 would remain onboard to maintain day-to-day operations. Production on their flagship models would continue, albeit at a reduced pace, and all existing warranties would be honored. But the reduction in staff and limited cash flow meant that the development of future products, such as the LulzBot Bio tissue printer, would be put on hold.
LulzBot wasn’t quite dead, but it was hard to see this as anything but a step on the road to insolvency. A number of insiders we spoke to said they had heard a buyout was expected, and today we can report that the sale of Aleph Objects to Fargo Additive Manufacturing Equipment 3D (FAME 3D) is official. Production of the current LulzBot models is expected to continue, and some of the 91 laid off employees are likely to be hired back, but continuing Aleph Objects CEO Grant Flaharty says the details are still being finalized.
This new financial backing, provided by a venture capitalist, is certainly good news. But it would be naive to think this is the end of LulzBot’s troubles. The market has spoken, and unless the company is willing to introduce a vastly cheaper version of their printer to entice the entry-level customer as Prusa Research has recently done, it’s unclear how an infusion of cash will do anything but delay the inevitable.
For what it’s worth, we hope LulzBot finds some way to thrive. The ideal of building fully open source printers is something near and dear to the heart of Hackaday, but after the loss of PrintrBot, we’re all keenly aware of how difficult it is for small American companies to compete in the modern 3D printing market.
People who were subscribed to updates on the Alexa Connect Kit (ACK) would recently have received an email informing that this kit is now available for sale. Last time we covered the ACK was back in September of 2018, the ‘release’ moniker meant ‘preview’ and there wasn’t any hardware one could actually purchase.
Over a year a later it seems that we can now finally get our grubby mitts on this kit that should enable us to make any of our projects Alexa-enabled. What this basically seems to mean is that one can spend close to 200 US dollars on an Arduino Zero and an Arduino shield-mounted WM-BN-MT-52 module from USI (though not listed on their site, but similar to the WM-BN-BM-22?) that integrates a 192 MHz Cortex-M MCU and a WiFi/Bluetooth module, as summarized on the Amazon Developer page for the ACK.
