Over-Engineered Cat Door Makes Purrfect Sense

September 16, 2019 by Kristina Panos 21 Comments

On paper, pet doors are pretty great. You don’t have to keep letting the cat in and out, and there should be fewer scratches on the door overall. Unfortunately, your average pet door is indiscriminate, and will let any old creature waltz right in. Well, [Jeremiah] was tired of uninvited critters, so he built a motorized door with a built-in bouncer. Now, only animals with pre-approved BLE tags can get in.

The bouncer is a Raspi 3 running Node-RED, which scans continuously for BLE advertisements from the cats’ collars. [Jeremiah] settled on Tile tags because they’re reliable and cat-proof. The first version used an Arduino and RFID tags for the cats, but they had to get too close to the door to trigger it.

We love [Jeremiah]’s choice of door actuator, a 12V retractable car antenna. [Jeremiah] uses the antenna itself to lift and lower the removable lockout panel that comes with the door. He removed the circuit that retracts the antenna when power is lost, so that power outages don’t become free-for-alls for shelter-seeking animals.

There’s also a nice feature for slow creatures—the door won’t close until 15 seconds after the last BLE ad, so they cats won’t ever have to Indiana Jones it through the opening. Magnetic switches currently limit the door travel at the top and bottom, though [Jeremiah] will eventually replace them with standard switches. Paw at the break until you get a walk-through video.

Cats will be cats, and the ones that go outside will probably rack up a body count. Here’s a cat door that looks for victims clenched between cat jaws and starts a 15-minute lockout period.

Continue reading “Over-Engineered Cat Door Makes Purrfect Sense” →

The Amazon Dash Button: A Retrospective

August 27, 2019 by Kerry Scharfglass 38 Comments

The Internet of Things will revolutionize everything! Manufacturing? Dog walking? Coffee bean refilling? Car driving? Food eating? Put a sensor in it! The marketing makes it pretty clear that there’s no part of our lives which isn’t enhanced with The Internet of Things. Why? Because with a simple sensor and a symphony of corporate hand waving about machine learning an iPhone-style revolution is just around the corner! Enter: Amazon Dash, circa 2014.

The first product in the Dash family was actually a barcode scanning wand which was freely given to Amazon Fresh customers and designed to hang in the kitchen or magnet to the fridge. When the Fresh customer ran out of milk they could scan the carton as it was being thrown away to add it to their cart for reorder. I suspect these devices were fairly expensive, and somewhat too complex to be as frequently used as Amazon wanted (thus the extremely limited launch). Amazon’s goal here was to allow potential customers to order with an absolute minimum of friction so they can buy as much as possible. Remember the “Buy now with 1-Click” button?

That original Dash Wand was eventually upgraded to include a push button activated Alexa (barcode scanner and fridge magnet intact) and is generally available. But Amazon had pinned its hopes on a new beau. Mid 2015 Amazon introduced the Dash Replenishment Service along with a product to be it’s exemplar – the Dash Button. The Dash Button was to be the 1-Click button of the physical world. The barcode-scanning Wands require the user to remember the Wand was nearby, find a barcode, scan it, then remember to go to their cart and order the product. Too many steps, too many places to get off Mr. Bezos’ Wild Ride of Commerce. The Dash Buttons were simple! Press the button, get the labeled product shipped to a preconfigured address. Each button was purchased (for $5, with a $5 coupon) with a particular brand affinity, then configured online to purchase a specific product when pressed. In the marketing materials, happy families put them on washing machines to buy Tide, or in a kitchen cabinet to buy paper towels. Pretty clever, it really is a Buy now with 1-Click button for the physical world.

There were two versions of the Dash button. Both have the same user interface and work in fundamentally the same way. They have a single button (the software can recognize a few click patterns), a single RGB LED (‘natch), and a microphone (no, it didn’t listen to you, but we’ll come back to this). They also had a WiFi radio. Version two (silently released in 2016) added Bluetooth and completely changed the electrical innards, though to no user facing effect.

In February 2019, Amazon stopped selling the Dash Buttons. Continue reading “The Amazon Dash Button: A Retrospective” →

This Week In Security: KNOB, Old Scams Are New Again, 0-days, Backdoors, And More

August 23, 2019 by Jonathan Bennett 12 Comments

Bluetooth is a great protocol. You can listen to music, transfer files, get on the internet, and more. A side effect of those many uses is that the specification is complicated and intended to cover many use cases. A team of researchers took a look at the Bluetooth specification, and discovered a problem they call the KNOB attack, Key Negotiation Of Bluetooth.

This is actually one of the simpler vulnerabilities to understand. Randomly generated keys are only as good as the entropy that goes into the key generation. The Bluetooth specification allows negotiating how many bytes of entropy is used in generating the shared session key. By necessity, this negotiation happens before the communication is encrypted. The real weakness here is that the specification lists a minimum entropy of 1 byte. This means 256 possible initial states, far within the realm of brute-forcing in real time.

The attack, then, is to essentially man-in-the-middle the beginning of a Bluetooth connection, and force that entropy length to a single byte. That’s essentially it. From there, a bit of brute forcing results in the Bluetooth session key, giving the attacker complete access to the encrypted stream.

One last note, this isn’t an implementation vulnerability, it’s a specification vulnerability. If your device properly implements the Bluetooth protocol, it’s vulnerable.

CenturyLink Unlinked

You may not be familiar with CenturyLink, but it maintains one of the backbone fiber networks serving telephone and internet connectivity. On December 2018, CenturyLink had a large outage affecting its fiber network, most notable disrupting 911 services for many across the United States for 37 hours. The incident report was released on Monday, and it’s… interesting.
Continue reading “This Week In Security: KNOB, Old Scams Are New Again, 0-days, Backdoors, And More” →

Perfecting A Bluetooth N64 Controller

August 17, 2019 by Tom Nardi 1 Comment

Love it or hate it, the Nintendo 64 controller doesn’t seem to be going anywhere. Dedicated fans are still looking for ways to use the unique trilobed controller with modern systems, and they won’t be satisfied until they perfectly replicate the original experience. [Shyri Villar] has been working on perfecting a blend of original and modern hardware that looks very promising.

The project started when [Shyri] found that you could take the internals from a modern third party Bluetooth N64 controller made by 8BitDo and put them into the original controller’s case. This would give you the original buttons back, and overall a more authentic weight and feel. Unfortunately, this usually means dumping the original N64 joystick for the 8BitDo’s.

What [Shyri] wanted to do was install the 8BitDo PCB into an original N64 controller, but adapt Nintendo’s joystick to communicate with it. Unfortunately, since the original joystick used optical encoders and the 8BitDo version uses potentiometers, there’s something of a language gap.

To bridge the divide, both the X and Y dimensions of the joystick get their own PIC12F675 microcontroller and X9C103S digital potentiometer. The microcontrollers read the X and Y values from the original joystick’s encoders, and use the digital potentiometers to provide the 8BitDo with the expected analog input. Right now the electronics are held on two scraps of perfboard tucked into the side “wings” of the controller, but hopefully we’ll see a custom PCB in the future.

If you’re more interested in going back in time with your trusty N64 controller, then you might be interested in learning more about how one hacker managed to hook it up to the MSX.

Broken HP-48 Calculator Reborn As Bluetooth Keyboard

August 16, 2019 by Sven Gregori 8 Comments

Considering their hardware specification, graphing calculators surely feel like an anachronism in 2019. There are plenty of apps and other software available for that nowadays, and despite all preaching by our teachers, we actually do carry calculators with us every day. On the other hand, never underestimate the power of muscle memory when using physical knobs and buttons instead of touch screen or mouse input. [epostkastl] combined the best of both worlds and turned his broken HP-48 into a Bluetooth LE keyboard to get the real feel with its emulated counterpart.

Initially implemented as USB device, [epostkastl] opted for a wireless version this time, and connected an nRF52 based Adafruit Feather board to the HP-48’s conveniently exposed button matrix pins. For the software emulation side, he uses the Emu48, an open source HP calculator emulator for Windows and Android. The great thing about Emu84 is that it supports fully customizable mappings of regular keyboard events to the emulated buttons, so you can easily map, say, the cosine button to the [C] key. The rest is straight forward: scanning the button matrix detects button presses, maps them to a key event, and sends it as a BLE HID event to the receiving side running Emu84.

As this turns [epostkastl]’s HP-48 essentially into a regular wireless keyboard in a compact package — albeit with a layout that outshines every QWERTY vs Dvorak debate. It can of course also find alternative use cases, for examples as media center remote control, or a shortcut keyboard. After all, we’ve seen the latter one built as stomp boxes and from finger training devices before, so why not a calculator?

Continue reading “Broken HP-48 Calculator Reborn As Bluetooth Keyboard” →

Simple Bluetooth Car Audio From A Pi Zero

August 13, 2019 by Richard Baguley 24 Comments

When [Sami Pietikäinen] realized that the Bluetooth built into his car didn’t support audio, he didn’t junk it and buy a Tesla. Instead, he decided to remedy the problem by building a small Bluetooth device that plugged into the Aux socket. To do this, he used a Raspberry Pi Zero with a pHAT DAC (Digital to Audio Converter). That’s perhaps using a sledgehammer to crack a walnut, but sometimes you work with what you have. The interesting part is to be found in what he did next: he used Yocto to optimize the device down to make it as simple and straightforward as possible.

Continue reading “Simple Bluetooth Car Audio From A Pi Zero” →

New Bluetooth 5 Channel Hopping Reverse Engineered For Jamming And Hijacking

August 10, 2019 by Mike Szczys 9 Comments

Bluetooth Low Energy (BLE) 5 has been around since 2016 with the most recent version 5.2 published just this year. There’s not much hardware out there that’s using the new hotness. That didn’t stop [Damien Cauquil] from picking apart BLE 5’s new frequency hopping techniques and updating his BtleJack tool to allow sniffing, jamming and hijacking hardware using the new protocol.

As you can imagine, the BLE standard a complicated beast and just one part of it is the topic here: the PRNG-based frequency hopping scheme that is vastly different from BLE 4.x and earlier. The new standard, called Channel Selection Algorithm (CSA) #2 — uses 65535 possible channels, compared to just 37 channels used by its predecessor. Paired devices agree to follow a randomized list of all possible channels in sequence so that they remain in synchronization between hops. This was put in place to help avoid collisions, making it possible for many more BLE devices to operate in close proximity. This is important to note since it quickly becomes obvious that it’s not a robust security measure by any means.

To begin channel hopping the two devices must first agree on an order in which to hop, ensuring they’ll meet one another after each leap. To do so they both run the same 32-bit seed number through a PRNG algorithm, generating a list that will then be followed exactly in order. But it turns out this is not very difficult to figure out. All that’s needed is the access address whose top 16-bits are publicly available if you’re already sniffing packets, and the bottom 16-bits is the counter that increments the hop address list.

If you want to jam or hijack BLE 5 communication you need to establish which “randomized” channel list is being used, and the value of the counter that serves as an index to this list. To do so, [Damien] sniffs packets on two different channels. These channels will be used over and over again as it loops through the channel list, so calculating how much time occurs between each channel indicates how far apart these channels are on the list.

In practice, [Damien] first implemented a sieve (the same concept as the Sieve of Eratosthenes for finding primes) that starts with a list of all possibilities and removes those that don’t contain a matching timing between the two channels. Keep doing this, and eventually, you’ll whittle your list down to one possible channel order.

This certainly worked, but there were timing issues that sometimes meant you could learn the seed but couldn’t then sync with it after the fact. His second approach uses pattern matching. By measuring hops on 11 consecutive channels, he’s able to synchronize with target devices in a minute or less. From there, jamming or hijacking methods come into play. The randomization of this scheme is really marginal. A more robust technique would have used an internal state in both devices to generate the next hopping channel. This would have been much more difficult for an attacker to figure out. From the device perspective, CSA #2 takes very little computation power which is key for power-sipping IoT devices most often using BLE.

As mentioned before, [Damien] had trouble finding any hardware in the wild using the BLE 5 standard. His proof of concept is built on a pair of nRF52840 development boards. Because it needs more testing, the code hasn’t been merged into the main version of BtleJack, but you can still get it right now by heading over to BtleJack repo on GitHub.