Shadowhammer, WPA3, And Alexa Is Listening: This Week In Computer Security

Let’s get caught up on computer security news! The big news is Shadowhammer — The Asus Live Update Utility prompted users to download an update that lacked any description or changelog. People thought it was odd, but the update was properly signed by Asus, and antivirus scans reported it as safe.

Nearly a year later, Kaspersky Labs announced they had confirmed this strange update was indeed a supply chain attack — one that attacks a target by way of another vendor. Another recent example is the backdoor added to CCleaner, when an unknown actor compromised the build system for CCleaner and used that backdoor to target other companies who were using CCleaner. Interestingly, the backdoor in CCleaner has some similarities to the backdoor in the Asus updater. Combined with the knowledge that Asus was one of the companies targeted by this earlier breach, the researchers at Kaspersky Lab suggest that the CCleaner attack might have been the avenue by which Asus was compromised.

Shadowhammer sits quietly on the vast majority of machines it infects. It’s specifically targeted at a pool of about 600 machines, identified by their network card’s MAC address. We’ve not seen any reporting yet on who was on the target list, but Kaspersky is hosting a service to check whether your MAC is on the list.

While we’re still waiting for the full technical paper, researchers gave a nearly 30 minute presentation about Shadowhammer, embedded below the break along with news about Dragonblood, Amazon listening to your conversations, and the NSA delivering on Ghidra source code. See you after the jump!
Continue reading “Shadowhammer, WPA3, And Alexa Is Listening: This Week In Computer Security”

Making A Dash Button Update Your To-do List

Amazon’s Dash Buttons are useful little devices, that let you automatically order a wide variety of common household goods at the press of a button. They’re cheap and wireless and readily available, and that makes them ripe for hacking. In just this vein, [Inbar] and [Ezra] found a way to make the Dash buttons update their to-do list.

[Inbar] uses Any.do to manage his to-do list. There’s no public API, but the service can be configured to respond to Alexa commands. Naturally, this meant that if a Dash Button could be configured to trigger a voice command, Alexa would then make the necessary additions to the list.

This was achieved with lashings of Python, a Raspberry Pi, and Apple’s text-to-speech engine. The Raspberry Pi is set up as a wireless hotspot, to which the Dash Buttons are connected. When the button is pressed, a DHCP request goes out as the button tries to phone home. By scraping the MAC address from this request, the Raspberry Pi can identify which button has been pressed, and then plays a recorded voice sample of Apple’s Samantha voice. This voice was specifically chosen to be the one most reliably understood by Alexa, which is responsible for parsing the voice command and updating the list on Any.do.

It’s a cheeky hack that doesn’t bother itself with the nitty-gritty of interfacing with various services and tools. Instead, it laces up a bunch of easy-to-use software and hardware, and gets the job done just as well.

As we’ve seen, Amazon’s Dash Button has been thoroughly pwned. Video after the break. Continue reading “Making A Dash Button Update Your To-do List”

State Of The Art Big Mouth Alexa Bass

Hackers seem intent on making sure the world doesn’t forget that, for a brief shining moment, everyone thought Big Mouth Billy Bass was a pretty neat idea. Every so often we see a project that takes this classic piece of home decor and manages to shoehorn in some new features or capabilities, and with the rise of voice controlled home automation products from the likes of Amazon and Google, they’ve found a new ingredient du jour when preparing stuffed bass.

[Ben Eagan] has recently completed his entry into the Pantheon of animatronic fish projects, and while we’ll stop short of saying the world needed another Alexa-enabled fish on the wall, we’ve got to admit that he’s done a slick job of it. Rather than trying to convince Billy’s original electronics to play nice with others, he decided to just rip it all out and start from scratch. The end result is arguably one of the most capable Billy Bass updates we’ve come across, if you’re willing to consider flapping around on the wall an actual capability in the first place.

The build process is well detailed in the write-up, and [Ben] provides many pictures so the reader can easily follow along with the modification. The short version of the story is that he cuts out the original control board and wires the three motors up to an Arduino Motor Driver Shield, and when combined with the appropriate code, this gives him full control over Billy’s mouth and body movements. This saved him the trouble of figuring out how to interface with the original electronics, which is probably for the better since they looked rather crusty anyway.

From there, he just needed to give the fish something to get excited about. [Ben] decided to connect the 3.5 mm audio jack of an second generation Echo Dot to one of the analog pins of the Arduino, and wrote some code that can tell him if Amazon’s illuminated hockey puck is currently yammering on about something or not. He even added a LM386 audio amplifier module in there to help drive Billy’s original speaker, since that will now be the audio output of the Dot.

A decade ago we saw Billy reading out Tweets, and last year we presented a different take on adding an Alexa “brain” to everyone’s favorite battery powered fish. What will Billy be up to in 2029? We’re almost too scared to think about it. Continue reading “State Of The Art Big Mouth Alexa Bass”

ESP8266 And Alexa Team Up To Tend Bar

After a hard day of soldering and posting memes online, sometimes you just want to yell at the blinking hockey puck in the corner and have it pour you out a perfectly measured shot of your favorite libation. It might not be the multi-purpose robot servant we were all hoping to have by the 21st century, but [Jake Lee] figures it’s about as close as we’re likely to get for under fifty bucks or so (Jake’s security certificate seems to have expired a few days ago so your browser may warn you, here’s an archived version).

From the hardware to the software, his Alexa-enabled drink pouring machine is an exercise in minimalism. Not that there’s anything wrong with that, of course. The easiest solutions are sometimes the best ones, and we think the choices [Jake] made here strike a perfect balance between keeping things simple and getting the job done. It’s by no means the most complete or capable robotic bartender we’ve ever seen, but it’s perhaps the one most likely to be duplicated by others looking to get in on the voice-controlled drinking game.

So how does it work? For one, [Jake] didn’t go through the trouble of creating a “proper” Alexa skill, that’s quite a bit of work just to pour a shot of rum. Instead, he took the easy way out and used the FauxMo library on his ESP8266 to emulate a few WeMo smart switches. Alexa (and pretty much every other home automation product) has native support for turning these on and off, so with the proper code you can leverage it as an easy way to toggle the chip’s digital pins.

Using the Alexa’s “Routines” capability, these simple toggles can be chained together and associated with specific phrases to create more complex actions. For example, you could chain the dispensing alcohol, lowering the room lighting, and playing music all to a single voice command. Something like “I give up”, perhaps.

When Alexa tells the drink dispenser to turn on, the ESP8266 fires a relay which starts up a small 12 V air pump. This is connected to the bottle of rum though a glass tube that [Jake] bent with a blow torch, and starts to pressurize it. With the air at the top of the bottle pushing down on it, a second glass tube gives the liquid a way to escape. This method of dispensing liquid is not only easy to implement, but saves you from having to drink something that’s passed through some crusty eBay pump.

If you prefer the “right” way of getting your device talking to Amazon’s popular home surveillance system, our very own [Al Williams] can get you headed in the right direction. On the other hand, if the flowing alcohol is the part of this project that caught your attention, well we’ve got more than a few projects that cover that topic as well.

Alexa, Remind Me Of The First Time Your Product Category Failed

For the last few years, the Last Great Hope™ of the consumer electronics industry has been voice assistants. Alexas and Echos and Google Homes and Facebook Portals are all the rage. Over one hundred million Alexa devices have been sold, an impressive feat given that there are only about 120 Million households in the United States, and a similar number in Europe. Look to your left, look to your right, one of you lives in a house with an Internet connected voice assistant.

2018 saw a huge explosion of Internet connected voice assistants, in sometimes bizarre form factors. There’s a voice controlled microwave, which is great if you’ve ever wanted to defrost a chicken through the Internet. You can get hardware for developing your own voice assistant device. 2019 will be even bigger. Facebook is heavily advertising the Facebook Portal. If you haven’t yet deleted your Facebook account, you can put the Facebook Portal on your kitchen counter and make video calls with your family and friends through Facebook Messenger. With the Google Home Hub and a Nest doorbell camera, you too can be just like Stu Pickles from Rugrats.

This is not the first time the world has been enamored with Internet-connected assistants. This is not the first time the consumer electronics industry put all their hope into one product category. This has happened before, and all those devices failed spectacularly. These were the Internet appliances released between 1999 and 2001: the last great hurrah of the dot-com boom. They were dumb then, and they’re dumb now.

Continue reading “Alexa, Remind Me Of The First Time Your Product Category Failed”

Win Back Some Privacy With A Cone Of Silence For Your Smart Speaker

To quote the greatest philosopher of the 20th century: “The future ain’t what it used to be.” Take personal assistants such as Amazon Echo and Google Home. When first predicted by sci-fi writers, the idea of instant access to the sum total of human knowledge with a few utterances seemed like a no-brainer; who wouldn’t want that? But now that such things are a reality, having something listening to you all the time and potentially reporting everything it hears back to some faceless corporate monolith is unnerving, to say the least.

There’s a fix for that, though, with this cone of silence for your smart speaker. Dubbed “Project Alias” by [BjørnKarmann], the device consists of a Raspberry Pi with a couple of microphones and speakers inside a 3D-printed case. The Pi is programmed to emit white noise from its speakers directly into the microphones of the Echo or Home over which it sits, masking out the sounds in the room while simultaneously listening for a hot-word. It then mutes the white noise, plays a clip of either “Hey Google” or “Alexa” to wake the device up, and then business proceeds as usual. The bonus here is that the hot-word is customizable, so that in addition to winning back a measure of privacy, all the [Alexas] in your life can get their names back too. The video below shows people interacting with devices named [Doris], [Marvin], [Petey], and for some reason, [Milkshake].

We really like this idea, and the fact that no modifications are needed to the smart speaker is pretty slick, as is the fact that with a few simple changes to the code and the print files it can be used with any smart speaker. And some degree of privacy from the AI that we know is always listening through these things is no small comfort either.

Continue reading “Win Back Some Privacy With A Cone Of Silence For Your Smart Speaker”

Forcing Amazon Alexa Compatible Stuff To Speak To Google Assistant

It took a long time, but it’s 2019, and we’re starting to get used to the concept of talking to a computer to make it control things around the house. It’s not quite as cool as it seemed when we saw it in films way back when, but that’s just real life. The problem is, there’s a multitude of different systems and standards and they don’t all necessarily work together. In [Blake]’s case, the problem is that Woods brand hardware only works with Amazon Alexa, which simply won’t do.

[Blake] went through the hassle of getting an Amazon Alexa compatible WiFi outlet to work with Google Assistant. It’s a bit of a roundabout way of doing things, but it works. A TP-Link HS-105 WiFi plug is used, which can be controlled through Google Assistant voice commands. The part consists of two PCBs – a control board that speaks WiFi, and a switching board with relays. [Blake] used the control board and hooked it up to a Raspberry Pi. When switched on by a command from Google, the HS-105 sets a pin high, which is detected by the Raspberry Pi. The Raspberry Pi then runs a software implementation of the KAB protocol used by the Woods hardware, triggering it when it receives the signal from the TP-Link hardware.

If we understand correctly, [Blake] had to go to this trouble in order to make his special outdoor-rated outlets work with his Google Home setup. Hopefully interoperability improves in years to come, but we won’t hold our breath.

We’ve seen some pretty convoluted projects in this space before, often using IFTTT — like this ESP8266 voice controlled tank.