VanMoof E-Bike Bankruptcy: The Risks Of Cloud-Connected Transport

July 23, 2023 by Maya Posch 66 Comments

When the bankruptcy of VanMoof, the company behind a series of e-bikes, was announced recently, many probably shrugged at this news. After all, what is an e-bike but a regular bicycle that has some electronics and a battery strapped to it to assist with cycling? Unfortunately for owners of a VanMoof e-bike, their fancy wheels come with a Bluetooth-connected smartphone app that somehow involves storing a special encryption key on the VanMoof servers, as detailed by [Gergely Orosz] at the Pragmatic Engineer. Without this key that is connected to your VanMoof account, your VanMoof app cannot communicate with your VanMoof e-bike.

Although basic functionality of the e-bike will be retained, features such as setting the gear modes, changing assistance mode, locking the bicycle and other features not exposed on the bicycle itself will be lost. Essentially this is the equivalent of losing the remote control to a modern-day TV and getting locked out of 90% of the device’s features.

Fortunately, as [Gergely] and others are (urgently) pointing out to VanMoof e-bike owners, this special key can be downloaded with a Key Exporter project on GitHub, as well as obtained and used with an alternative app by Cowboy Bikes, which is a competitor of VanMoof. The unfortunate reality remains, however, that should you lose this special key, you are going to be in a world of pain as your expensive e-bike now is mostly an e-brick.

(Thanks to [Jan Praegert] for the tip)

2600 Breaks Free From DRM With PDF/EPUB Subscription

July 21, 2023 by Tom Nardi 13 Comments

Hackaday has been online in some form or another since 2004, which for the Internet, makes us pretty damn old. But while that makes us one of the oldest surviving web resources for hacker types, we’ve got nothing on 2600 — they’ve been publishing their quarterly zine since 1984.

While the physical magazine can still be found on store shelves, the iconic publication expanded into digital distribution some time ago, thanks largely to the Kindle’s Newsstand service. Unfortunately, that meant Amazon’s recent decision to shutter Newsstand threatened to deprive 2600 of a sizable chunk of their income. So what would any group of hackers do? They took matters into their own hands and spun-up their own digital distribution system.

As of today you’re able to subscribe to the digital version of 2600 in DRM-free PDF or EPUB formats, directly from the magazine’s official website. Which one you pick largely depends on how you want to read it: those looking for the highest fidelity experience should go with PDF, as it features an identical layout to the physical magazine, while those who are more concerned with how the content looks on their reader of choice would perhaps be better served by the flexibility of EPUB. After signing up you can download the current Summer issue immediately, with future issues hitting your inbox automatically. Load it onto your home-built Open Book, and you can really stick it to the establishment.

While the ending of this story seems to be a happy one, we can’t help but see it as a cautionary tale. How many other magazines would have the means and experience to offer up their own digital subscriptions? Or for that matter, how many could boast readers savvy enough to utilize it? The reality is many publications will be injured by Amazon’s decision, some mortally so. That’s a lot of power to be put into the hands of just one company, no matter how quick the shipping is.

This Week In Security: Dating App, WooCommerce, And OpenSSH

July 21, 2023 by Jonathan Bennett 4 Comments

Up first this week is a report from vpnMentor, covering the unsecured database backing a set of dating apps, including 419 Dating. The report is a bit light on the technical details, like what sort of database this was, or how exactly it was accessed. But the result is 2.3 million exposed records, containing email address, photos — sometimes explicit, and more. Apparently also exposed were server backups and logs.

The good news here is that once [Jeremiah Fowler] discovered the database door unlocked and hanging open, he made a disclosure, and the database was secured. We can only hope that it wasn’t discovered by any bad actors in the meantime. The app has now disappeared from the Google Play store, and had just a bit of a sketchy air about it.

WooCommerce Under Siege

Back in March, CVE-2023-28121 was fixed in the WooCommerce plugin for WordPress. The issue here is an authentication bypass that allows an unauthenticated user to commandeer other user accounts.

Within a few months, working exploits had been derived from the details of the patch plugging the hole. It wasn’t hard. A function for determining the current user was explicitly trusting the contents of the X-WCPAY-PLATFORM-CHECKOUT-USER request header. Set that value in a request sent to the server, and ding, you’re administrator.

And now the cows are coming home to roost. Active exploitation started in earnest on July 14, and the folks at Wordfence clocked a staggering 1.3 million exploitation attempts on the 16th. What’s particularly interesting is that the Wordfence data gathering system saw a huge increase in requests for the readme.txt file that indicates the presence of the WooCommerce plugin on a WordPress site. These requests were observed before the attacks got started, making for an interesting early warning system. Continue reading “This Week In Security: Dating App, WooCommerce, And OpenSSH” →

This RISC-V CPU Games In Rust From Inside The Game

July 17, 2023 by Jonathan Bennett 14 Comments

[Xander Naumenko] has created something truly impressive — a working RISC-V CPU completely contained in a Terraria world. And then for added fun, he wrote the game of pong, playable in real time, from within the game of Terraria. It’s all based on the in-game wiring system, combined with a bit of a hack that uses the faulty lamp mechanic to create a very odd AND gate. In Terraria, the existing logic gates have timing issues that make them a no-go for complicated projects like this one. The faulty lamp is intended to do randomized outputs, by stacking multiple inputs to get a weighted output when a clock signal is applied. The hack is to simply give this device a single input, turning it into a clocked IF gate. Two of them together in series makes a clocked AND gate, and two in parallel make a clocked OR gate.

Why would [Xander] embark on this legendary endeavor? Apparently after over eight thousand hours clocked in game, one gets a bored of killing slimes and building NPC houses. And playing with the game’s wiring system turned on a metaphorical lightbulb, that the system could be used to build interesting systems. A prototype CPU, with a completely custom instruction set came next, and was powerful enough to compute Fibonacci. But that obviously wasn’t enough. Come back after the break for the rest of the story and the impressive video demonstration.

Continue reading “This RISC-V CPU Games In Rust From Inside The Game” →

DisplayPort: Under The Hood

July 17, 2023 by Arya Voronova 14 Comments

Last time, we looked at all the things that make DisplayPort unique for its users. What about the things that make it unique for hackers? Let’s get into all the ways that DisplayPort can serve you on your modern tech wrangling adventures.

You Are Watching The AUX Channel

With DisplayPort, the I2C bus we’ve always seen come bundled with VGA, DVI and HDMI, is no more – it’s been replaced by the AUX bus. AUX is a 1 MHz bidirectional diffpair – just a bit too complex for a cheap logic analyzer, though, possibly, something you could wrangle with the RP2040’s PIOs. Hacking thoughts aside, it’s a transparent replacement for I2C, so that software doesn’t have to be rewritten – for instance, it usually does I2C device passthrough over AUX, so that EDID data can still be stored in a separate EEPROM chip on the monitor or eDP LCD panel.

AUX isn’t just a differential bus, it’s more pseudodifferential, like USB2 – for instance, AUX_P and AUX_N are used separately, with a combination of 1 MΩ and 100 kΩ pullups and pulldowns signaling different states of the physical connection – for instance, a pullup on AUX+ and a pulldown on AUX- means that an external device has been connected. If you’d like to learn which combination of resistors means what, you can find in the DisplayPort specification, which isn’t distributed openly but isn’t hard to come by, either.

Also, DisplayPort link training happens over AUX, and in order to facilitate that, a piece of DisplayPort controller’s external memory is usually exposed over the AUX channel, through a mechanism that’s called DPCD. If you dig a bit, using “DPCD” as the keyword, you can easily reach into the lower-level details of your DisplayPort connection. Some of the DPCD memory map is static, and some parts are FIFOs you can funnel data into, or out of. You can find a wide variety of documents online which describe the DPCD structure – for now, here’s a piece of Bash that works on Linux graphics drivers for AMD and Intel, and will show you you the first 16 bytes of DPCD:

# sudo dd if=/dev/drm_dp_aux0 bs=1 skip=256 count=16 |xxd 00000000: 0084 0000 0000 0000 0108 0000 0000 0000 ................ [...]

In particular, the 4th nibble (digit) here describes the amount of lanes for the DisplayPort link established – as you can see, my laptop uses a four-lane link. Also, the /dev/drm_dp_aux0 path might need to be adjusted for your device. In case you ever want to debug your DP link, having direct access to the DPCD memory space like this might help you quite a bit! For now, let’s move onto other practical aspects. Continue reading “DisplayPort: Under The Hood” →

Improving Ocean Power With Static Electricity

July 16, 2023 by Al Williams 19 Comments

Water is heavy, so if you think about it, a moving ocean wave has quite a bit of energy. Scientists have a new way to use triboelectric generators to harvest that power for oceangoing systems. (PDF) Triboelectric nanogenerators (TENGs) are nothing new, but this new approach allows for operation where the waves have lower amplitude and frequency, making traditional systems useless.

The new approach uses a rotor and a stator, along with some aluminum, magnets, and — no kidding — rabbit fur. The stator is 3D printed in resin. The idea is to mechanically accumulate and amplify small low-frequency waves into high-frequency motion suitable for triboelectric generation.

Continue reading “Improving Ocean Power With Static Electricity” →

Gravity Wave Detector Is Galactic Sized

July 15, 2023 by Al Williams 13 Comments

Detecting gravity waves isn’t easy. But what if you had a really big detector for a long time? That’s what researchers did when they crunched 15 years’ worth of data from the NANOGrav data set. The data was collected from over 170 radio astronomers measuring millisecond pulsars as a way to potentially detect low-frequency gravity waves.

Millisecond pulsars spin fast and make them ideal for the detection of low-frequency gravity waves, which are difficult to detect. The bulk of the paper is about the high-powered data analysis for a very large data set.

Continue reading “Gravity Wave Detector Is Galactic Sized” →