Hackaday Links Column Banner

Hackaday Links: June 27, 2021

When asked why he robbed banks, career criminal Willie Sutton is reported to have said, “Because that’s where the money is.” It turns out that a reporter made up the quote, but it’s a truism that offers by extension insight into why ATMs and point-of-sale terminals are such a fat target for criminals today. There’s something far more valuable to be taken from ATMs than cash, though — data, in the form of credit and debit card numbers. And taking a look at some of the hardware used by criminals to get this information reveals some pretty sophisticated engineering. We’d heard of ATM “skimmers” before, but never the related “shimmers” that are now popping up, at least according to this interesting article on Krebs.

While skimmers target the magnetic stripe on the back of a card, simmers are aimed at reading the data from card chips instead. Shimmers are usually built on flex PCBs and are inserted into the card slot, where traces on the device make contact with the chip reader contacts. The article describes a sophisticated version of shimmer that steals power from the ATM itself, rather than requiring a separate battery. The shimmer sits inside the card slot, completely invisible to external inspection (sorry, Tom), and performs what amounts to man-in-the-middle attacks. Card numbers are either stored on the flash and read after the device is retrieved, or are read over a Bluetooth connection; PINs are stolen with the traditional hidden camera method. While we certainly don’t condone criminal behavior, sometimes you just can’t help but admire the ingenuity thieves apply to their craft.

In a bit of foreshadowing into how weird 2020 was going to be, back in January of that year we mentioned reports of swarms of mysterious UAVs moving in formation at night across the midwest United States. We never heard much else about this — attention shifted to other matters shortly thereafter — but now there are reports out of Arizona of a “super-drone” that can outrun law enforcement helicopters. The incidents allegedly occurred early this year, when a Border Patrol helicopter pilot reported almost colliding with a large unmanned aerial system (UAS) over Tucson, and then engaged them in a 70-mile chase at speeds over 100 knots. The chase was joined by a Tucson police helicopter, with the UAS reaching altitudes of 14,000 feet at one point. The pilots didn’t manage to get a good look at it, describing it only as having a single green light on its underside. The range on the drone was notable; the helicopter pilots hoped to exhaust its batteries and force it to land or return to base, but they themselves ran out of fuel long before the drone quit. We have to admit that we find it a little fishy that there’s apparently no photographic evidence to back this up, especially since law enforcement helicopters are fairly bristling with sensors, camera, and spotlights.

When is a backup not a backup? Apparently, when it’s an iCloud backup. At least that’s the experience of one iCloud user, who uses a long Twitter thread to vent about the loss of many years of drawings, sketches, and assorted files. The user, Erin Sparling, admits their situation is an edge case — he had been using an iPad to make sketches for years, backing everything up to an iCloud account. When he erased the iPad to loan it to a family member for use during the pandemic, he thought he’s be able to restore the drawings from his backups, but alas, more than six months had passed before he purchased a new iPad. Apparently iCloud just up and deletes everythign if you haven’t used the account in six months — ouch! We imagine that important little detail was somehere in the EULA fine print, but while that’s not going to help Erin, it may help you.

And less the Apple pitchfork crowd think that this is something only Cupertino could think up, know that some Western Digital external hard drive users are crying into their beer too, after a mass wiping of an unknown number of drives. The problem impacts users of the WD My Book Live storage devices, which as basically network attached storage (NAS) devices with a cloud-based interface. The data on these external drives is stored locally, but the cloud interface lets you configure the device and access the data from anywhere. You and apparently some random “threat actors”, as WD is calling them, who seem to have gotten into some devices and performed a factory reset. While we feel for the affected users, it is worth noting that WD dropped support for these devices in 2015; six years without patching makes a mighty stable codebase for attackers to work on. WD is recommending that users disconnect these devices from the internet ASAP, and while that seems like solid advice, we can think of like half a dozen other things that need to get done to secure the files that have accumulated on these things.

And finally, because we feel like we need a little palate cleanser after all that, we present this 3D-printed goat helmet for your approval. For whatever reason, the wee goat pictured was born with a hole in its skull, and some helpful humans decided to help the critter out with TPU headgear. Yes, the first picture looks like the helmet was poorly Photoshopped onto the goat, but scroll through the pics and you’ll see it’s really there. The goat looks resplendent in its new chapeau, and seems to be getting along fine in life so far. Here’s hoping that the hole in its skull fills in, but if it doesn’t, at least they can quickly print a new one as it grows.

 

Give A Man A Phish, And You Entertain Him For A Day

With millions of phishing attempts happening daily, we’ve probably all had our fair share of coming across one. For the trained or naturally suspicious eye, it’s usually easy to spot them — maybe get a good chuckle out of the ridiculously bad ones along the way — and simply ignore them. Unfortunately, they wouldn’t exist if they weren’t successful enough in the big picture, so it might be a good idea to inform the targeted service about the attempt, in hopes they will notify users to act with caution. And then there’s [Christian Haschek], who decided to have some fun and trying to render the phished data useless by simply flooding it with garbage.

After his wife received a text message from “their bank”, [Christian] took a closer look at the URL it was pointing to, and found your typical copy of the real login form at a slightly misspelled address. As the usual goal is to steal the victim’s credentials, he simply wrote a shell script that sends random generated account numbers and PINs for all eternity via cURL, potentially lowering any value the attackers could get from their attempt.

As the form fields limit the input length of the account number and PIN, he eventually wondered if the server side will do the same, or whether it would crash if longer data is sent to it. Sadly, he’ll never know, because after he modified the script, the site itself returned a 404 and had disappeared.

In the quest against phishing attacks, this should count as a success, but as [Christian] seemed to enjoy himself, he yearned for more and decided to take a look at a similar attempt he saw mentioned earlier on Reddit. Despite targeting the same bank, the server-side implementation was more sophisticated, hinting at a different attack, and he definitely got his money worth this time — but we don’t want to give it all away here.

Rest assured, [Christian Haschek] continues the good fight, whether by annoying attackers as he did with ZIP-bombing random WordPress login attempts or battling child pornography with a Raspberry Pi cluster. Well, unless he’s busy hunting down an unidentified device hooked up in his own network.

(Banner image by Tumisu)

Apple Coin Bank Plants The Seed Of Saving

Consider the piggy bank. Behind that innocent, docile expression is a capitalistic metaphor waiting to ruin your fond memories of saving for that BMX bike or whatever else it was that drove home the value of a dollar. As fun as it is to drop a coin in a slot, the act of saving your pennies and learning financial responsibility could be a bit more engaging.

It seems like [gzumwalt] feels the same way. He’s designed a coin bank for his grand-kids that takes a more active role in the deposit process—it straight up eats the things. Put a coin on the platform and the upper half of the apple’s face is pushed open by an arm that pulls the coin inside on its return path.

Continuing with the money-saving theme, [gzumwalt] didn’t use a micro or even a 555. No, the core of this project is a pair of micro lever switches, a small gear motor, and 4.5V DC. When a coin hits the platform, the first switch engages the motor. The motor drives a 3-D printed mechanism modeled after Hoeckens’ linkage, which converts rotational motion to (nearly) straight-line motion. The second switch stops the cycle. Confused? You can sink your teeth into it after the break.

Don’t worry, the kids don’t have to slice up the apple when it’s time to go to the candy store, ’cause there’s a screw-in hatch on the bottom. This is because [gzumwalt] is a wizard of 3-D printing and design. Not convinced? Check out his balloon-powered engine or his runs-on-air plane.

Continue reading “Apple Coin Bank Plants The Seed Of Saving”

Power Through A Hurricane

When living in an area that is prone to natural disasters, it’s helpful to keep something on hand for backup power. While a large number of people chose to use generators, they are often unreliable (or poorly maintained), noisy, produce dangerous carbon monoxide, or run on a fuel supply that might not be available indefinitely. For truly reliable backup power, [Jay] has turned to a battery bank to ride through multi-day power outages.

While the setup doesn’t run his whole house, it isn’t intended to. One of the most critical things to power is the refrigerator, so this build focuses on keeping all of his food properly stored through the power outage. During the days following Hurricane Irma, the system could run the refrigerator for 10-11 hours, and the thermal insulation could keep everything cold or frozen overnight. Rather than using solar panels to charge the batteries, the system instead gets energy from the massive battery of his electric vehicle. [Jay] was out of power for 64 hours, and this system worked for him (and at a better cost) than a generator would have.

With the impact of major storms on many areas this year, we’ve been seeing a lot of interesting ways that people deal with living in areas impacted by these disasters. Besides riding through power outages, we’ve also seen the AARL step in to help, and also taken a look at how robust building codes in these areas help mitigate property damage in the first place.

 

Reverse Engineering A Bank’s Security Token

app

[Thiago]’s bank uses a few methods besides passwords and PINs to verify accounts online and at ATMs. One of these is a ‘security card’ with 70 single use codes, while another is an Android app that generates a security token. [Thiago] changes phones and ROMs often enough that activating this app became a chore. This left only one thing to do: reverse engineer his bank’s security token and build a hardware device to replicate the app’s functionality.

After downloading the bank’s app off his phone and turning the .APK into a .JAR, [Thiago] needed to generate an authentication code for himself. He found a method that generates a timestamp which is the number of 36-second intervals since April 1st, 2007. The 36-second interval is how long each token lasts, and the 2007 date means this part of the code was probably developed in late 2007 or 2008. Reverse engineering this code allowed [Thiago] to glean the token generation process: it required a key, and the current timestamp.

[Thiago] found another class that reads his phone’s android_id, and derives the key from that. With the key and timestamp in hand, he figured out the generateToken method and found it was remarkably similar to Google Authenticator’s implementation; the only difference was the timestamp epoch and the period each token lasts.

With the generation of the security token complete, [Thiago] set out to put this code into a hardware device. He used a Stellaris Launchpad with the Criptosuite and RTClib libraries. The hardware doesn’t include a real-time clock, meaning the date and time needs to be reset at each startup. Still, with a few additions, [Thiago] can have a portable device that generates security tokens for his bank account. Great work, and great example of how seriously his bank takes account security.

Measuring The ~10 Kiloamp Output Of A Large Capacitor Bank

[Norman] put together a rather impressive 22,500 uF capacitor bank. In addition to find things to torture with the strong magnetic field generated by a sudden discharge, he’d like to measure the current pushed from the device. He’s found a way to do this using a digital storage oscilloscope. To protect the oscilloscope [Norman] built his own interface box that includes a 50x voltage divider, and interfaces a current sensor called a Rogowski coil. When it comes time to run the experiment, he turns the safety lock-out key on the bank charger, then discharges the stored potential with the flip of a switch.

Take a look at the video after the break to see soda cans and hard drive platters mangled by the device. The oscilloscope measures the output near 10 kA, giving [Norman] the data he set out to capture. He’s entered this project into the Tektronix contest where it’ll compete with the piano tuner and laser light show tester just to name a few.

Continue reading “Measuring The ~10 Kiloamp Output Of A Large Capacitor Bank”