crash

18 Articles

ESP8266 And ESP32 WiFi Hacked!

September 5, 2019 by 48 Comments

[Matheus Garbelini] just came out with three (3!) different WiFi attacks on the popular ESP32/8266 family of chips. He notified Espressif first (thanks!) and they’ve patched around most of the vulnerabilities already, but if you’re running software on any of these chips that’s in a critical environment, you’d better push up new firmware pretty quick.

The first flaw is the simplest, and only effects ESP8266s. While connecting to an access point, the access point sends the ESP8266 an “AKM suite count” field that contains the number of authentication methods that are available for the connection. Because the ESP doesn’t do bounds-checking on this value, a malicious fake access point can send a large number here, probably overflowing a buffer, but definitely crashing the ESP. If you can send an ESP8266 a bogus beacon frame or probe response, you can crash it.

What’s most fun about the beacon frame crasher is that it can be implemented on an ESP8266 as well. Crash-ception! This takes advantage of the ESP’s packet injection mode, which we’ve covered before.

The second and third vulnerabilities exploit bugs in the way the ESP libraries handle the extensible authentication protocol (EAP) which is mostly used in enterprise and higher-security environments. One hack makes the ESP32 or ESP8266 on the EAP-enabled network crash, but the other hack allows for a complete hijacking of the encrypted session.

These EAP hacks are more troubling, and not just because session hijacking is more dangerous than a crash-DOS scenario. The ESP32 codebase has already been patched against them, but the older ESP8266 SDK has not yet. So as of now, if you’re running an ESP8266 on EAP, you’re vulnerable. We have no idea how many ESP8266 devices are out there in EAP networks,  but we’d really like to see Espressif patch up this hole anyway.

[Matheus] points out the irony that if you’re using WPA2, you’re actually safer than if you’re unpatched and using the nominally more secure EAP. He also wrote us that if you’re stuck with a bunch of ESP8266s in an EAP environment, you should at least encrypt and sign your data to prevent eavesdropping and/or replay attacks.

Again, because [Matheus] informed Espressif first, most of the bugs are already fixed. It’s even percolated downstream into the Arduino-for-ESP, where it’s just been worked into the latest release a few hours ago. Time for an update. But those crusty old NodeMCU builds that we’ve got running everything in our house?  Time for a full recompile.

We’ve always wondered when we’d see the first ESP8266 attacks in the wild, and that day has finally come. Thanks, [Matheus]!

Israel’s Moon Lander Crashed, And That’s OK

April 11, 2019 by 108 Comments

Some bittersweet news today as we get word that Israel’s Beresheet spacecraft unfortunately crashed shortly before touchdown on the Moon. According to telemetry received from the spacecraft right up until the final moments, the main engine failed to start during a critical braking burn which would have slowed the craft to the intended landing velocity. Despite attempts to restart the engine before impact with the surface, the craft hit the Moon too hard and is presumably destroyed. It’s likely that high resolution images from the Lunar Reconnaissance Orbiter will eventually be able to give us a better idea of the craft’s condition on the surface, but at this point the mission is now officially concluded.

The Beresheet Lander

It’s easy to see this as a failure. Originally conceived as an entry into the Google Lunar X Prize, the intended goal for the $100 million mission was to become the first privately funded spacecraft to not only touch down on the lunar surface, but navigate laterally through a series of powered “hops”. While the mission certainly fell short of those lofty goals, it’s important to remember that Beresheet did land on the Moon.

It didn’t make the intended soft landing, a feat accomplished thus far only by the United States, Russia, and China; but the fact of the matter is that a spacecraft from Israel is now resting on the lunar surface. Even though Beresheet didn’t survive the attempt, history must recognize Israel as the fourth country to put a lander on the surface of our nearest celestial neighbor.

It’s also very likely this won’t be the last time Israel reaches for the Moon. During the live broadcast of the mission, after it was clear Beresheet had been lost, Prime Minister Benjamin Netanyahu vowed his country would try again within the next two years. The lessons learned today will undoubtedly help refine their next mission, and with no competition from other nations in the foreseeable future, there’s still an excellent chance Israel will be able to secure their place in history as the fourth country to make a successful soft landing.

Beresheet’s view during descent

Of course you’ve got to get to the Moon before you can land on it, and in this respect, Beresheet was an unmitigated success. We previously covered the complex maneuvers required to put the craft into lunar orbit after riding to space as a secondary payload on the Falcon 9 rocket; a technique which we’ll likely see more of thanks to the NASA’s recent commitment to return to the Moon. Even if Beresheet never attempted to land on the surface, the fact that it was able to enter into a stable lunar orbit and deliver dramatic up-close images of the Moon’s surface will be a well deserved point of pride for Israel.

If there’s one thing to take away from the loss of Beresheet, it’s that travel among the stars is exceptionally difficult. Today we’re reminded that even the slightest miscalculation can quickly escalate into tragedy when we leave the relative safety of Earth’s atmosphere. In an era when a mega-rocket launching a sport’s car live on YouTube seems oddly common place, it can be easy to forget that humanity’s long path to space featured as many heartbreaking defeats as it does triumphant successes.

This won’t be the last time that hundreds of millions of dollars worth of high-tech equipment will be lost while pushing the absolute edge of the envelope, and that’s nothing to be upset over. Humans have an insatiable need to see what’s over the horizon and that means we must take on a certain level of risk. The alternative is stagnation, and in the long run that will cost us a lot more than a few crashed probes.

Cortex 2 Is One Serious 3D Printed Experimental Rocket

December 25, 2018 by 9 Comments

Rocketry is wild, and [Foaly] is sharing build and design details of the Cortex 2 mini rocket which is entirely 3D printed. Don’t let that fool you into thinking it is in any way a gimmick; the Cortex 2 is a serious piece of engineering with some fascinating development.

Cortex 1 was launched as part of C’Space, an event allowing students to launch experimental rockets. Stuffed with sensors and entirely 3D printed, Cortex 1 flew well, but the parachute failed to deploy mainly due to an imperfectly bonded assembly. The hatch was recovered, but the rocket was lost. Lessons were learned, and Cortex 2 was drafted up before the end of the event.

Some of the changes included tweaking the shape and reducing weight, and the refinements also led to reducing the number of fins from four to three. The fins for Cortex 2 are also reinforced with carbon fiber inserts and are bolted on to the main body.

Here’s an interesting details: apparently keeping the original fins would result in a rocket that was “overstable”. We didn’t really realize that was a thing. The results of overstabilizing are similar to a PID loop where gain is too high, and overcorrection results in oscillations instead of a nice stable trajectory.

Cortex 2 uses a different rocket motor from its predecessor, which led to another interesting design issue. The new motor is similar to hobby solid rocket motors where a small explosive charge at the top of the motor blows some time after the fuel is gone. This charge is meant to eject a parachute, but the Cortex 2 is not designed to use this method, and so the gasses must be vented. [Foaly] was understandably not enthusiastic about venting hot gasses through the mostly-PLA rocket body. Instead, a cylindrical cartridge was designed that both encases the motor and redirects any gasses from the explosive charge out the rear of the rocket. That cartridge was SLA printed out of what looks to us like Formlabs’ High Tempurature Resin.

Finally, to address the reasons Cortex 1 crashed, the hatch and parachute were redesigned for better reliability. A servo takes care of activating the system, and a couple of reverse-polarity magnets assist in ensuring the hatch blows clear. There’s even a small servo that takes care of retracting the launch guide.

The rocket is only half built so far, but looks absolutely fantastic and we can’t wait to see more. It’s clear [Foaly] has a lot of experience and knowledge. After all, [Foaly] did convert a Makerbot printer into a CNC circuitboard engraver.

Fatalities Vs False Positives: The Lessons From The Tesla And Uber Crashes

June 18, 2018 by 174 Comments

In one bad week in March, two people were indirectly killed by automated driving systems. A Tesla vehicle drove into a barrier, killing its driver, and an Uber vehicle hit and killed a pedestrian crossing the street. The National Transportation Safety Board’s preliminary reports on both accidents came out recently, and these bring us as close as we’re going to get to a definitive view of what actually happened. What can we learn from these two crashes?

There is one outstanding factor that makes these two crashes look different on the surface: Tesla’s algorithm misidentified a lane split and actively accelerated into the barrier, while the Uber system eventually correctly identified the cyclist crossing the street and probably had time to stop, but it was disabled. You might say that if the Tesla driver died from trusting the system too much, the Uber fatality arose from trusting the system too little.

But you’d be wrong. The forward-facing radar in the Tesla should have prevented the accident by seeing the barrier and slamming on the brakes, but the Tesla algorithm places more weight on the cameras than the radar. Why? For exactly the same reason that the Uber emergency-braking system was turned off: there are “too many” false positives and the result is that far too often the cars brake needlessly under normal driving circumstances.

The crux of the self-driving at the moment is precisely figuring out when to slam on the brakes and when not. Brake too often, and the passengers are annoyed or the car gets rear-ended. Brake too infrequently, and the consequences can be worse. Indeed, this is the central problem of autonomous vehicle safety, and neither Tesla nor Uber have it figured out yet.

Continue reading “Fatalities Vs False Positives: The Lessons From The Tesla And Uber Crashes”

Retrotechtacular: Operation Smash Hit

April 11, 2018 by 12 Comments

Judging by the number of compilations that have been put online, one of the not-so-secret vices of the YouTube generation must be the watching of crash videos. Whether it is British drivers chancing their luck on level crossings, Russians losing it at speed on packed snow, or Americans driving tall trucks under low bridges, these films exert a compelling fascination upon the viewing public intent on deriving entertainment from the misfortunes of others. The footage is often peripheral or grainy, having inevitably been captured by a dashcam or a security camera rather than centre-stage on a broadcast quality system with professional operation. You can’t predict when such things will happen.

There was one moment, back in 1984, when predicting a major crash was exactly what you could do. It was a national event, all over the TV screens, and one which was watched by millions. The operators of British nuclear power stations wished to stage a public demonstration of how robust their transport flasks for spent nuclear fuel rods were, so after all the lab tests they could throw at one they placed it on a railway test track and crashed a 100mph express train into it.

Water escaping during drop test.

This was as much a PR stunt as it was a scientific endeavour, and they lost no time in promoting it across all media. The film below the break was part of this effort, and takes us through the manufacture of the flask forged in one piece from huge billets of steel, before showing us the tests to which it was subjected. The toughest of these, a drop-test onto a corner of a fully laden flask, resulted in a small escape of the water contained within it. It was thus decided to conduct the ultimate test to ensure full public confidence in nuclear transport.

The Old Dalby test track is a section of a closed-to-passengers line in the English Midlands that was retained by British Railways as a proving ground for new locomotives. In the ultimate test of rail transport for nuclear waste, a flask was placed on its side across a piece of the track, and a train formed of a withdrawn 1960s locomotive and a short rake of 1950s carriages was accelerated without a driver over several miles to 100mph.

An instant before impact, we see the underside of the derailed car. The flask is between it and the locomotive.

[Nigel Harris] for Rail magazine wrote an almost funerial description of the destruction of locomotive 46009 25 years later in 2009, and as he reported the flask survived with only superficial damage and a tiny loss in pressure. The event was hailed as a success by the nuclear industry, before fading from the public consciousness as nuclear power station operators prefer to remain out of the news.

It is questionable how much the Old Dalby crash was for the cameras and the public, and how much it was for the scientists and engineers. But such destructive tests do serve as a means to gain vital test data that could not be harvested any other way, and have been performed more than once in the aviation industry. Later in the same year a Boeing 720 was crashed for science in the USA, while more recently in 2012 a Boeing 727 was crashed in Mexico.

Crashing an express train into a nuclear flask is something not likely to be seen again, it was a one-off event. But one thing’s for sure, our inability to turn away from watching a train wreck is nothing new. YouTube and ubiquitous cameras certainly make crashes available with a few keystrokes. But from the 1984 cask crash test, to the the spectacle of Crush, Texas back in 1896, the sheer power shown in these crashes seems to have a siren song effect on us.

Continue reading “Retrotechtacular: Operation Smash Hit”

Drone Vs. Airplane? Who Will Win? Science Knows.

November 21, 2016 by 46 Comments

Ignore the article, watch the video at the top of the page. The article is about some idiot, likely not even a hacker, who bought a drone somewhere and nearly rammed it into a plane. He managed this with concentrated idiocy, intention was not involved. While these idiots are working hard to get our cool toys taken away, researchers elsewhere are answering the question of exactly how much threat a drone poses to an airplane.

droneexplode_thumbAirplanes are apparently armored to withstand a strike from an 8lb bird. However, even if in a similar weight class, a drone is not constructed of the same stuff. To understand if this mattered, step one was to exactly model a DJI Phantom and then digitally launch it at various sections of a very expensive airplane.

The next step, apparently, was to put a drone into an air cannon and launch it at an aluminum sheet. The drone explodes quite dramatically. Some people have the best jobs.

The study is still ongoing, but from the little clips seen; the drone loses. Along with the rest of us.

Perhaps the larger problem to think about right now is how to establish if a “drone” has actually been involved in an incident with a passenger aircraft. It seems there are a lot of instances where that claim is dubious.

Repaired Manned Multicopter Flies Without Horrifying Crash

July 28, 2016 by 81 Comments

[amazingdiyprojects] has been making lots of test flights in his crazy eight propeller gasoline powered danger bucket.

We last covered the project when he had, unfortunately, wrecked the thing in a remote-controlled test flight.  He later discovered that the motor’s crankshaft bearings had, well, exploded. The resulting shrapnel destroyed the motor and crashed the drone. He described this failure mode as “concerning”.

Also concerning is the act of stepping into the seat once all the propellers are started up. He tags this as “watch your step or die”. Regardless, he also describes flying in the thing as so incredibly fun that it’s hard to stay out of it; like a mechanical drug. It explains why his channel has been lately dominated by videos of him testing the multicopter. Those videos are found after the break.

The device drinks 0.65-0.7 liters per minute of gasoline, and he’s been going through reserves working out all the bugs. This means everything from just figuring out how to fly it to discovering that the dust from the ground effect tends to clog up the air filters; which causes them to run lean, subsequently burning up sparkplugs. Dangerous, but cool.

Continue reading “Repaired Manned Multicopter Flies Without Horrifying Crash”