Broadpwn – All Your Mobiles are Belong to Us

Researchers from Exodus Intel recently published details on a flaw that exists on several Broadcom WiFi chipsets. It’s estimated to affect nearly 1 Billion devices, from Android to iPhone. Just to name a few in the top list:

  • Samsung Galaxy from S3 through S8, inclusive
  • All Samsung Notes3. Nexus 5, 6, 6X and 6P
  • All iPhones after iPhone 5

So how did this happen? And how does a bug affect so many different devices?

A smart phone nowadays is a very complicated mesh of interconnected chips. Besides the main processor, there are several other secondary processors handling specialized tasks which would otherwise clog up the main CPU. One of those is the WiFi chipset, which is responsible for WiFi radio communications — handling the PHY, MAC and MLME layers. When all the processing is complete, the radio chipset hands data packets over the kernel driver, which runs on the main CPU. This means that the radio chipset itself has to have some considerable data processing power to handle all this work. Alas, with great power comes great responsibility.

Continue reading “Broadpwn – All Your Mobiles are Belong to Us”

Fixing Bugs In Ancient BASIC Games

Before everyone learned programming on Stack Exchange, things were much different. Computer magazines had BASIC programs in them, which readers would type out, line by line, and hit RUN. In theory, this is a terrible way to learn programming; it’s simply rote recitation without any insight into what the code is actually doing. Of course, copying and pasting from Stack Exchange is exactly the same thing, so maybe these magazines were ahead of the curve.

[0xA000] recently came across one of his old computer magazines containing the type-in listing for Blindganger, a game where you wander a maze blindly. When [0xA000] typed this game into his C64 back in 1988, the game didn’t work. Thirty years later, he decided to give it another go and ended up fixing bugs in an old computer game.

When [0xA000] typed this game into his computer back in 1988, the map just didn’t work, and the final screen revealed a maze where the walls were where they shouldn’t be. A quick Google turned up a disk image of the same game that had the same problem. This bug was obviously in the section of code that draws the map at the end of the game, so [0xA000] started looking there. The offending typo in the code was an $F4 instead of an $F5, or 244 instead of 255. This shifted the colors of the map by 11 positions, meaning the locations marked as visited in the final screen were wrong. Whether this bug cropped up in development or was just a simple typo when typesetting the magazine doesn’t really matter now; after 29 years, this bug is fixed.

Build a Tiny (Unstable) Bugging Device

We don’t know who the [amgworkshop] wanted to listen in on, but they apparently went searching for a small FM wireless transmitter. There’s plenty of circuits around, but they wanted something smaller. The original circuit had a variable capacitor to tune the output frequency. The new design uses a fixed capacitor and a spring for an antenna. You can see the build steps in the video below, but don’t expect a lot of frequency stability or fidelity out of a single transistor transmitter.

The parts list is minimal. In addition to a coin cell holder (which serves as the construction base), you need a transistor, two resistors, three capacitors, a homemade inductor (very easy to make with some wire and a drill bit), and an electret microphone. Of course, you need a battery, too. The whole thing is potted with hot glue.

Continue reading “Build a Tiny (Unstable) Bugging Device”

Hacking When It Counts: Spy Radios

World War II can be thought of as the first electronic war. Radio technology was firmly established commercially by the late 1930s and poised to make huge contributions to the prosecution of the war on all sides. Radio was rapidly adopted into the battlefield, which led to advancements in miniaturization and ruggedization of previously bulky and fragile vacuum tube gear. Radios were soon being used for everything from coordinating battlefield units to detonating anti-aircraft artillery shells.

But it was not just the battlefields of WWII that benefitted from radio technology. From apartments in Berlin to farmhouses in France, covert agents toiled away over sophisticated transceivers, keying in coded messages and listening for instructions. Spy radios were key clandestine assets, both during the war and later during the Cold War. Continue reading “Hacking When It Counts: Spy Radios”

Parallel Compressors for Sandblasting without Crashing Your Grid

[Hannah] is restoring a 1962 Volkswagen Bug. The goal is to get the car on the road in time for her driver’s test. This is no easy task, as the lower 3 inches of all the body work is rusted out, and the engine is…. well, missing. Basically, the car needs a frame off restoration. This means that [Hannah] will have a lot of metal bodywork to clean up. One of the easiest ways to do that is sandblasting.

Large scale sandblasting is a bit different from most air-powered operations. Sandblasting needs only a modest air pressure, but a high air flow. [Hannah] need 25 Sustained Cubic Feet Per Minute (SCFM) at 80 PSI for sandblasting. Most compressors can easily supply that pressure, but 25 SCFM is asking quite a lot. She could go with an expensive 3 phase unit, or rent a diesel screw compressor. However, [Hannah] decided to connect 4 compressors in parallel to give her the flow she needed.

Connecting the air outputs in parallel is easy. The problem is the electricity. Each compressor is rated for 9 amps while running. They draw quite a bit more while starting up. The compressors have to be wired to individual 15 amp circuits to avoid blowing fuses. They also need to be started in sequence so they don’t pull down the AC for the entire house while starting.

Hannah could have used any sort of delay for this, but she chose an Arduino. The Arduino’s wall wart is wired up to the master compressor. Turning on the master powers up the Arduino which immediately starts a 2 second delay. When the delay times out, the Arduino fires up the second compressor. After several delay loops, all 4 compressors are running together.

hannah-schThe Arduino’s GPIO pins can’t handle 9 amp AC loads, so [Hannah] wired them to TIP120 transistors. The TIP120s drive low power relays, which in turn drive high current air conditioning relays. The system works quite well, as can be seen in the video below the break.

If you’re interested in air compressor projects, check out this setup made from an old refrigerator compressor. For more background on the TIP120, check out this article about these useful transistors.

Continue reading “Parallel Compressors for Sandblasting without Crashing Your Grid”

Hacking PayPal Accounts With CSRF

The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time.

Paypal is a huge player in the payment processing world, but that doesn’t mean they aren’t without their flaws. Sometimes the bigger the target, the more difficult it is to find problems. [Yasser] wanted to experiment with a cross-site request forgery attack. This type of attack typically requires the attacker to trick the victim into clicking a malicious link. The link would then impersonate the victim and make requests on the victim’s behalf. This is only made possible if the victim is logged into the target website.

PayPal has protection mechanisms in place to prevent this kind of thing, but [Yasser] found a loophole. When a user logs in to make a request, PayPal gives them an authentication token. This token is supposed to be valid for one user and one request only. Through experimentation, [Yasser] discovered a way to obtain a sort of “skeleton key” auth token. The attacker can attempt to initiate a payment transfer without first logging in to any PayPal account. Once the transfer is attempted, PayPal will request the user to authenticate. This process produces an auth token that apparently works for multiple requests from any user. It renders the authentication token almost entirely ineffective.

Once the attacker has a “universal auth token”, he can trick the victim into visiting a malicious web page. If the user is logged into their PayPal account at the time, the attacker’s webpage can use the universal auth token to trick the victim’s computer into making many different PayPal requests. Examples include adding email addresses to the account, changing the answers to security questions, and more. All of this can be done simply by tricking the user into clicking on a single link. Pretty scary.

[Yasser] was responsible with his disclosure, of course. He reported the bug to PayPal and reports that it was fixed promptly. It’s always great to see big companies like PayPal promoting responsible disclosure and rewarding it rather than calling the lawyers. Be sure to catch a video demonstration of the hack below. Continue reading “Hacking PayPal Accounts With CSRF”

A Dead Simple, Well Constructed FM Transmitter

[Angelo] is only 15, but that doesn’t mean his fabrication skills are limited to Lego and K’Nex. He’s built himself an amazingly well constructed FM transmitter that’s powerful enough to be received a quarter mile away.

The FM transmitter circuit itself is based off one of [Art Swan]’s builds, but instead of the solderless breadboard construction you would expect to find in a small demo circuit, [Angelo] went all the way, etching his own PCB and winding his own coil.

Using photosensitized copper clad board, [Angelo] laid out the circuit with Fritzing, etched a board, and went at it with a drill. The components found in the transmitter are pretty standard and with the exception of the trimmer cap and electret mic, can be picked up in the parts drawers of any Radio Shack. He gets bonus points for using a 1/4 – 20 bolt for winding the coil, too.

The power supply for the transmitter is a single 9V battery, the battery connector being salvaged from a dead 9V. Awesome work, and for someone so young, [Angelo] already seems to have a grasp of all the random, seemingly useless information that makes prototyping so much easier. Video below.

Continue reading “A Dead Simple, Well Constructed FM Transmitter”