Slider

4965 Articles

An Analog Charge Pump Fabrication-Time Attack Compromises A Processor

April 25, 2017 by 47 Comments

We will all be used to malicious software, computers and operating systems compromised by viruses, worms, or Trojans. It has become a fact of life, and a whole industry of virus checking software exists to help users defend against it.

Underlying our concerns about malicious software is an assumption that the hardware is inviolate, the computer itself can not be inherently compromised. It’s a false one though, as it is perfectly possible for a processor or other integrated circuit to have a malicious function included in its fabrication. You might think that such functions would not be included by a reputable chip manufacturer, and you’d be right. Unfortunately though because the high cost of chip fabrication means that the semiconductor industry is a web of third-party fabrication houses, there are many opportunities during which extra components can be inserted before the chips are manufactured. University of Michigan researchers have produced a paper on the subject (PDF) detailing a particularly clever attack on a processor that minimizes the number of components required through clever use of a FET gate in a capacitive charge pump.

On-chip backdoors have to be physically stealthy, difficult to trigger accidentally, and easy to trigger by those in the know. Their designers will find a line that changes logic state rarely, and enact a counter on it such that when they trigger it to change state a certain number of times that would never happen accidentally, the exploit is triggered. In the past these counters have been traditional logic circuitry, an effective approach but one that leaves a significant footprint of extra components on the chip for which space must be found, and which can become obvious when the chip is inspected through a microscope.

The University of Michigan backdoor is not a counter but an analog charge pump. Every time its input is toggled, a small amount of charge is stored on the capacitor formed by the gate of a transistor, and eventually its voltage reaches a logic level such that an attack circuit can be triggered. They attached it to the divide-by-zero flag line of an OR1200 open-source processor, from which they could easily trigger it by repeatedly dividing by zero. The beauty of this circuit is both that it uses very few components so can hide more easily, and that the charge leaks away with time so it can not persist in a state likely to be accidentally triggered.

The best hardware hacks are those that are simple, novel, and push a device into doing something it would not otherwise have done. This one has all that, for which we take our hats off to the Michigan team.

If this subject interests you, you might like to take a look at a previous Hackaday Prize finalist: ChipWhisperer.

[Thanks to our colleague Jack via Wired]

ESP32’s Freedom Output Lets You Do Anything

April 24, 2017 by 39 Comments

The ESP32 is Espressif’s new wonder-chip, and one of the most interesting aspects of its development has been the almost entirely open-source development strategy that they’re taking. But the “almost” in almost entirely open is important — there are still some binary blobs in the system, and some of them are exactly where a hacker wouldn’t want them to be. Case in point: the low-level WiFi firmware.

So that’s where [Jeija]’s reverse engineering work steps in. He’s managed to decode enough of a function called ieee80211_freedom_output to craft and send apparently arbitrary WiFi data and management frames, and to monitor them as well.

This ability is insanely useful for a WiFi device. With low-level access like this, one can implement custom protocols for mesh networking, low-bandwidth data transfers, or remove the requirement for handshaking entirely. One can also spam a system with so many fake SSIDs that it crashes, deauth everyone, or generally cause mayhem. Snoop on your neighbors, or build something new and cool: with great power comes great responsibility.

Anyway, we reported on [Jeija]’s long distance hack and the post may have read like it was all about the antenna, but that vastly underestimates the role played by this firmware reverse-engineering hack. Indeed, we’re so stoked about the hack that we thought it was worth reiterating: the ESP32 is now a WiFi hacker’s dream.

Life On Contract: Hacking Your Taxes

April 24, 2017 by 37 Comments

You’re a contractor and people are paying you to work in your pajamas. It’s a life of luxury, but when tax time comes, you are in a world of hurt and you wonder why you even do it. Taxes are tricky, but there are some tools you can use to make it less painful on your pocketbook. With planning and diligence, you can significantly increase the amount of money that stays in your bank account. Continue reading “Life On Contract: Hacking Your Taxes”

Neural Networks: You’ve Got It So Easy

April 24, 2017 by 25 Comments

Neural networks are all the rage right now with increasing numbers of hackers, students, researchers, and businesses getting involved. The last resurgence was in the 80s and 90s, when there was little or no World Wide Web and few neural network tools. The current resurgence started around 2006. From a hacker’s perspective, what tools and other resources were available back then, what’s available now, and what should we expect for the future? For myself, a GPU on the Raspberry Pi would be nice.

Continue reading “Neural Networks: You’ve Got It So Easy”

ESP32’s Dev Framework Reaches 2.0

April 23, 2017 by 22 Comments

We’ve been watching the development of the ESP32 chip for the last year, but honestly we’ve been a little bit cautious to throw all of our friendly ESP8266s away just yet. Earlier this month, Espressif released version 2.0 of their IoT Development Framework (ESP-IDF), and if you haven’t been following along, you’ve missed a lot.

We last took a serious look at the IDF when the chips were brand-new, and the framework was still taking its first baby steps. There was no support for such niceties as I2C and such at the time, but you could get both cores up and running and the thing connected to the network. We wanted to test out the power-save modes, but that wasn’t implemented yet either. In short, we were watching the construction of a firmware skyscraper from day one, and only the foundation had been poured.

But what a difference eight months make! Look through the GitHub changes log for the release, and it’s a totally new ballgame. Not only are their drivers for I2C, I2S, SPI, the DAC and ADCs, etc, but there are working examples and documentation for all of the above. Naturally, there are a ton of bugfixes as well, especially in the complex WiFi and Bluetooth Low Energy stacks. There’s still work left to do, naturally, but Espressif seems to think that the framework is now mature enough that they’ve opened up their security bug bounty program on the chip. Time to get hacking!

Continue reading “ESP32’s Dev Framework Reaches 2.0”

The Raspberry Pi As An IR To WiFi Bridge

April 23, 2017 by 28 Comments

[Jason] has a Sonos home sound system, with a bunch of speakers connected via WiFi. [Jason] also has a universal remote designed and manufactured in a universe where WiFi doesn’t exist. The Sonos can not be controlled via infrared. There’s an obvious problem here, but luckily tiny Linux computers with WiFi cost $10, and IR receivers cost $2. The result is an IR to WiFi bridge to control all those ‘smart’ home audio solutions.

The only thing [Jason] needed to control his Sonos from a universal remote is an IR receiver and a Raspberry Pi Zero W. The circuit is simple – just connect the power and ground of the IR receiver to the Pi, and plug the third pin of the receiver into a GPIO pin. The new, fancy official Raspberry Pi Zero enclosure is perfect for this build, allowing a little IR-transparent piece of epoxy poking out of a hole designed for the Pi camera.

For the software, [Jason] turned to Node JS, and LIRC, a piece of software that decodes IR signals. With the GPIO pin defined, [Jason] set up the driver and used the Sonos HTTP API to send commands to his audio unit. There’s a lot of futzing about with text files for this build, but the results speak for themselves: [Jason] can now use a universal remote with everything in his home stereo now.

Smart Child Seat Aims To Prevent Tragedy

April 21, 2017 by 76 Comments

For most of us, a memory lapse is as harmless as forgetting to bring the garbage to the curb, or maybe as expensive as leaving a cell phone and cup of coffee on the roof of the car before driving off. But when the toddler sleeping peacefully in the car seat slips your mind in the parking lot, the results can be deadly.

We have no doubt that child detection systems will soon be standard equipment on cars, like backup cameras and trunk-escape levers are now. Not willing to wait, [ayavilevich] came up with his own car occupancy sensor for child seats (Update: We originally linked to the Instructable but [ayavilevich] wrote in and mentioned this is actual Hackaday Prize entry and he’s looking for more people to get involved in the project).

Dubbed Fochica, for “Forgotten Child in Car Alert,” the system is clearly a proof of concept right now, but it has potential. The Arduino Uno senses Junior’s presence in the car seat with a homebrew capacitive sensor under the padding of the seat and a magnetic reed switch in the chest harness buckle. An Android app on a smartphone pairs with a BLE module to get the sensors’ status, and when the phone goes out of Bluetooth range while the seat is occupied, the app sounds an alarm. Simple, but effective.

We like how well [ayavilevich] thought this through. Systems like this are best left uncomplicated, so any improvements he makes should probably concentrate on engineering a reliable, fieldable device. Another hack we’ve presented in the kid-safety space is fast stairwell lights for a visually impaired girl, which might provide some ideas.

Continue reading “Smart Child Seat Aims To Prevent Tragedy”