A PCR machine with its side cover taken off exposing its guts, and the tray extended out

Making A PCR Machine Crypto Sign Its Results

March 1, 2025 by Arya Voronova 20 Comments

Money, status, or even survival – there’s no shortage of incentives for faking results in the scientific community. What can we do to prevent it, or at least make it noticeable? One possible solution is cryptographic signing of measurement results.

Here’s a proof-of-concept from [Clement Heyd] and [Arbion Halili]. They took a ThermoFisher Scientific 7500 Fast PCR (Polymerase Chain Reaction) machine, isolated its daughter-software, and confined it into a pipeline that automatically signs each result with help of a HSM (Hardware Security Module).

A many machines do, this one has to be paired to a PC, running bespoke software. This one’s running Windows XP, at least! The software got shoved into a heavily isolated virtual machine running XP, protected by TEE (Trusted Execution Environment). The software’s output is now piped into a data diode virtual serial port out of the VM, immediately signed with the HSM, and signed data is accessible through a read-only interface. Want to verify the results’ authenticity? Check them against the system’s public key, and you’re golden – in theory.

This design is just a part of the puzzle, given a typical chain of custody for samples in medical research, but it’s a solid start – and it happens to help make the Windows XP setup more resilient, too.

Wondering what PCR testing is good for? Tons of things all over the medical field, for instance, we’ve talked about PCR in a fair bit of detail in this article about COVID-19 testing. We’ve also covered a number of hacker-built PCR and PCR-enabling machines, from deceivingly simple to reasonably complex!

This Week In Security: Malicious Themes, Crypto Heists, And Wallbleed

February 28, 2025 by Jonathan Bennett 13 Comments

It’s usually not a good sign when your downloaded theme contains obfuscated code. Yes, we’re talking about the very popular Material Theme for VSCode. This one has a bit of a convoluted history. One of the authors wanted to make some money from all those downloads. The original Material Theme was yanked from the VSCode store, the source code (improperly) re-licensed as closed source, and replaced with freemium versions. And this week, those freemium versions have been pulled by Microsoft for containing malware.
Continue reading “This Week In Security: Malicious Themes, Crypto Heists, And Wallbleed” →

This Week In Security: OpenSSH, JumbledPath, And RANsacked

February 21, 2025 by Jonathan Bennett 8 Comments

OpenSSH has a newly fixed pair of vulnerabilities, and while neither of them are lighting the Internet on fire, these are each fairly important.

The central observation made by the Qualsys Threat Research Unit (TRU) was that OpenSSH contains a code paradigm that could easily contain a logic bug. It’s similar to Apple’s infamous goto fail; SSL vulnerability. The setup is this: An integer, r, is initialized to a negative value, indicating a generic error code. Multiple functions are called, with r often, but not always, set to the return value of each function. On success, that may set r to 0 to indicate no error. And when one of those functions does fail, it often runs a goto: statement that short-circuits the rest of the checks. At the end of this string of checks would be a return r; statement, using the last value of r as the result of the whole function.

Continue reading “This Week In Security: OpenSSH, JumbledPath, And RANsacked” →

The US Military’s Unsecured UFO Satellites And Their Use By Russia

February 19, 2025 by Maya Posch 31 Comments

Something that you generally don’t expect as a North-America-based enthusiast, is to listen in on Russian military communications during their war in Ukraine via WebSDR, or that these communications would be passing through US military satellites that are happy to just broadcast anything. Yet that’s the situation that the Saveitforparts YouTube channel recently described. As it turns out, there is a gaggle of UFOs up there, as the US DoD lovingly calls them.

Between 1979 and 1989 eight FLTSATCOM launches took place, with FLTSATCOM 7 and 8 still operating today. They were later joined by their successor UHF Follow-On (UFO) with 11 launches between 1993 and 2003. All of these operate in the UHF spectrum, with some UFO satellites also covering other bands. Their goal is to provide communication for the military’s forces, with these satellites for the most part acting as simple repeaters. Over time non-military parties learned to use these satellites too, even if it’s technically illegal in many jurisdictions.

As described in the video, if you listen in on WebSDR streams from Ukraine, you can not only find encrypted military comms, but also unencrypted Russian radio traffic. It seems that in lieu of being provided with proper (encrypted) radio systems, Russian forces are using these US military satellites for communication much like how US (and NATO) forces would have. This is reminiscent of how Russian troops were caught using Discord via Starlink for communication, before Russian command shutdown Discord.

Continue reading “The US Military’s Unsecured UFO Satellites And Their Use By Russia” →

This Week In Security: The UK Wants Your ICloud, Libarchive Wasn’t Ready, And AWS

February 14, 2025 by Jonathan Bennett 15 Comments

There’s a constant tension between governments looking for easier ways to catch criminals, companies looking to actually protect their users’ privacy, and individuals who just want their data to be truly private. The UK government has issued an order that threatens to drastically change this landscape, at least when it comes to Apple’s iCloud backups. The order was issued in secret, and instructed Apple to provide a capability for the UK officials to access iCloud backups that use the Advanced Data Protection (ADP) system. ADP is Apple’s relatively new end-to-end encryption scheme that users can opt-into to make their backups more secure. The key feature here is that with ADP turned on, Apple themselves don’t have access to decrypted user data.

If this order wasn’t onerous enough, it seems to explicitly include all ADP-protected data, regardless of the country of origin. This should ring alarm bells. The UK government is attempting to force a US company to add an encryption backdoor to give them access to US customer data. Cryptographer [Matthew Green] has thoughts on this situation. One of the slightly conspiratorial theories he entertains is that portions of the US government are quietly encouraging this new order because the UK has weaker protections against unreasonable search and seizure of data. The implication here is that those elements in the US would use this newfound UK data access capability to sidestep Fourth Amendment protections of citizens’ data. This doesn’t seem like much of a stretch.

[Matthew] does have a couple of suggestions. The first is passing laws that would make it illegal for a US company to add backdoors to their systems, specifically at the request of foreign nations. We’ve seen first-hand how such backdoors can backfire once accessed by less-friendly forces. In an ironic turn of fate, US agencies have even started recommending that users use end-to-end encrypted services to be safe against such backdoors. Technically, if this capability is added, the only recourse will be to disable iCloud backups altogether. Thankfully Apple has pushed back rather forcefully against this order, threatening to simply turn off ADP for UK users, rather than backdoor the rest of the world. Either way, it’s a scary bit of overreach.

Continue reading “This Week In Security: The UK Wants Your ICloud, Libarchive Wasn’t Ready, And AWS” →

Laser Cut Acrylic Provides Movie-Style Authentication

February 12, 2025 by Tom Nardi 13 Comments

Here at Hackaday, we pride ourselves on bringing you the latest and greatest projects for your viewing pleasure. But sometimes we come across a creation so interesting that we find ourselves compelled to write about it, even if it’s already been hanging around the Internet for years. This may or may not be due to the fact that we just re-watched Crimson Tide, and found ourselves on a self-imposed dive into a very particular rabbit hole…

If you’ve seen Crimson Tide, or the first few minutes of WarGames, you might already know what this post is about. Both films prominently make use of a one-time authentication device which the user snaps in half to reveal a card that has some secret code printed on it — and as it turns out, there are at least two different projects that aim to replicate the props used in the movies.

Continue reading “Laser Cut Acrylic Provides Movie-Style Authentication” →

Screenshot of Linux in a PDF in a browser

Nice PDF, But Can It Run Linux? Yikes!

February 10, 2025 by Heidi Ulrich 21 Comments

The days that PDFs were the granny-proof Swiss Army knives of document sharing are definitely over, according to [vk6]. He has managed to pull off the ultimate mind-bender: running Linux inside a PDF file. Yep, you read that right. A full Linux distro chugging along in a virtual machine all encapsulated within a document. Just when you thought running DOOM was the epitome of it. You can even try it out in your own browser, right here. Mind-boggling, or downright Pandora’s box?

Let’s unpack how this black magic works. The humble PDF file format supports JavaScript – with a limited standard library, mind you. By leveraging this, [vk6] managed to compile a RISC-V emulator (TinyEMU) into JavaScript using an old version of Emscripten targeting asm.js instead of WebAssembly. The emulator, embedded within the PDF, interfaces with virtual input through a keyboard and text box.

The graphical output is ingeniously rendered as ASCII characters – each line displayed in a separate text field. It’s a wild solution but works astonishingly well for something so unconventional.

Security-wise, this definitely raises eyebrows. PDFs have long been vectors for malware, but this pushes things further: PDFs with computational power. We know not to trust Word documents, whether they just capable of running Doom, or trash your entire system in a blink. This PDF anomaly unfolds a complete, powerful operating system in front of your very eyes. Should we think lightly, and hope it’ll lead to smarter, more interactive PDFs – or will it bring us innocent looking files weaponized for chaos?

Curious minds, go take a look for yourself. The project’s code is available on GitHub.

Continue reading “Nice PDF, But Can It Run Linux? Yikes!” →

Hackaday

Security Hacks

1517 Articles

Making A PCR Machine Crypto Sign Its Results

This Week In Security: Malicious Themes, Crypto Heists, And Wallbleed

This Week In Security: OpenSSH, JumbledPath, And RANsacked

The US Military’s Unsecured UFO Satellites And Their Use By Russia

This Week In Security: The UK Wants Your ICloud, Libarchive Wasn’t Ready, And AWS

Laser Cut Acrylic Provides Movie-Style Authentication

Nice PDF, But Can It Run Linux? Yikes!

Search

Never miss a hack

If you missed it

On 3D Scanners And Giving Kinects A New Purpose In Life

The Hottest Spark Plugs Were Actually Radioactive

A Cut Above: Surgery In Space, Now And In The Future

Two Decades Of Hackaday In Words

Spy Tech: The NRO And Apollo 11

Our Columns

Hackaday Links: October 5, 2025

How Do The Normal People Survive?

Hackaday Podcast Episode 340: The Best Programming Language, Space Surgery, And Hacking Two 3D Printers Into One

This Week In Security: CVSS 0, Chwoot, And Not In The Threat Model

How Hydraulic Ram Pumps Push Water Uphill With No External Power Input

Search

Never miss a hack

Subscribe

If you missed it

Our Columns