Undo Arduino Encryption With An Oscilloscope

Cryptography ain’t easy. Seemingly small details like how many times a computationally intensive loop runs can give the game away. [Lord Feistel] gives us a demo of how this could work with nothing more than poorly designed code, a resistor, and an oscilloscope.

The hardware side is, as mentioned, really simple. Put a resistor inline with the Arduino and monitor the voltage drop across the resistor with the scope. When the chip is working hard, it consumes more current, and code sections that take longer will show up as longer dips.

On the software end, it’s only a little more complicated.  The RSA encryption scheme involves a lot of exponentiation and modulo-taking. Here, [Lord Feistel] is targeting a naive way of computing the exponents quickly, and demonstrates how you can read the exponent straight out the chip’s power demand.

Implementing this attack against a real-world RSA algorithm, in the context of the Arduino doing other stuff, will be harder. And we don’t know if the algorithm implemented in “standard” Arduino libraries is smarter than this one. (If you know, let us know in the comments.) But still, this is a cool example of just how simple and straightforward it can be to eavesdrop on bad code.

If you only need to bypass encryption instead of breaking it, check out [Lord Feistel]’s other tutorial on power glitching that we featured previously. If you haven’t played around with the hardware side of security, it gets deep pretty quickly, but you can at least dip your toes in the shallow end with what you’ve got in your closet.

A Binary Version Of The Enigma Machine

The Enigma machine is the most well-known encryption tool used by German forces in World War II, mostly because it was so famously cracked by the Allies to great effect. Like many hackers, [christofer.jh] was intrigued by the design of the Enigma, and felt compelled to build a binary version of his own design.

The original Enigma machine was designed to scramble the 26 letters in the Latin alphabet. This design is altogether simpler. Instead of 26 letters, it will scramble 1s and 0s of binary code based on the initial settings of the scrambler rings.

Continue reading “A Binary Version Of The Enigma Machine”

A portable digital radio transceiver in a 3d printed case

RNODE: A Portable Unrestricted Digital Radio

RNode is an open source, unrestricted digital radio transceiver based on — but not limited to — the Reticulum cryptographic networking stack. It is another interesting project in what we might call the “Federated application” space in that it is intended to be used with no central controlling body. It can be used in a LAN or WAN context with the Reticulum network when operating in network adaptor mode, but it also has other use cases.

Essentially, RNode is a software project running on a LilyGO LoRa32 board wrapped up in a snazzy-looking 3D-printed case. Just make sure to grab a version of the board with an u.FL connector in place or somewhere to solder one. If it comes with an SMA connector, you will want to remove that. The device can be standalone, perhaps attached to a mobile device via Wi-Fi, but it needs to be hooked up to a laptop for the really interesting applications. When set to TNC mode, it can act as an APRS gateway, which allows you to access packet radio BBSs and all that fun stuff.

Continue reading “RNODE: A Portable Unrestricted Digital Radio”

Current-Based Side-Channel Attacks, Two Ways

Funny things can happen when a security researcher and an electronics engineer specializing in high-speed circuits get together. At least they did when [Limpkin] met [Roman], which resulted in two interesting hardware solutions for side-channel attacks.

As [Limpkin] relates it, the tale began when he shared an office with [Roman Korkikian], a security researcher looking into current-based attacks on the crypto engine inside ESP32s. The idea goes that by monitoring the current consumption of the processor during cryptographic operations, you can derive enough data to figure out how it works. It’s difficult to tease a useful signal from the noise, though, and [Roman]’s setup with long wire runs and a noisy current probe wasn’t helping at all. So [Limpkin] decided to pitch in.

The first board he designed was based on a balun, which he used to isolate the device under test from the amplification stage. He found a 1:8 balun, normally used to match impedances in RF circuits, and used its primary as a shunt resistance between the power supply — a CR1220 coin cell — and the DUT. The amplifier stage is a pair of low-noise RF amps; a variable attenuator was added between the amp stages on a second version of the board.

Board number two took a different tack; rather than use a balun, [Limpkin] chose a simple shunt resistor with a few twists. To measure the low-current signal on top of the ESP32’s baseline draw would require such a large shunt resistor that the microcontroller wouldn’t even boot, so he instead used an OPA855 wideband low-noise op-amp as an amplified shunt. The output of that stage goes through the same variable attenuator as the first board, and then to another OPA855 gain stage. The board is entirely battery-powered, relying on nice, quiet 18650s to power both the DUT and the shunt.

How well does it work? We’ll let you watch the talk below and make up your own mind, but since they’ve used these simple circuits to break a range of different chips, we’d say this approach a winner.

Continue reading “Current-Based Side-Channel Attacks, Two Ways”

It’s Numbers All The Way Down With This Tape Measure Number Station Antenna

For all their talk of cooperation and shared interests, the nations of the world put an awful lot of effort into spying on each other. All this espionage is an open secret, of course, but some of their activities are so mysterious that no one will confirm or deny that they’re doing it. We’re talking about numbers stations, the super secret shortwave radio stations that broadcast seemingly random strings of numbers for the purpose of… well, your guess is as good as ours.

If you want to try to figure out what’s going on for yourself, all you need is a pair of tape measures and a software defined radio (SDR), as [Tom Farnell] demonstrates. Tape measure antennas have a long and proud history in amateur radio and shortwave listening, being a long strip of conductive material rolled up in a convenient package. In this case, [Tom] wanted to receive some well-known numbers stations in the 20- to 30-meter band, and decided that a single 15-meter conductor would do the job. Unlike other tape measure antennas we’ve seen, [Tom] just harvested the blades from two 7.5-meter tape measures, connected them end-to-end, and threw the whole thing out the window in sort of a “sloper” configuration. The other end is connected to an RTL-SDR dongle and a smartphone running what appears to be SDRTouch, which lets him tune directly into the numbers stations.

Copying the transmissions is pretty simple, since they transmit either in voice or Morse; the latter can be automatically decoded on a laptop with suitable software. As for what the long strings of numbers mean, that’ll remain a mystery. If they mean anything at all; we like to think this whole thing is an elaborate plan to get other countries to waste time and resources intercepting truly random numbers that encode nothing meaningful. It would serve them right.

Continue reading “It’s Numbers All The Way Down With This Tape Measure Number Station Antenna”

Hackaday Links Column Banner

Hackaday Links: June 4, 2023

A report released this week suggests that 50 flights into its five-flight schedule, the Mars helicopter might be starting to show its age. The report details a protracted communications outage Ingenuity’s flight controllers struggled with for six sols after flight 49 back in April. At first attributed to a “communications shadow” caused by the helicopter’s robotic buddy, Perseverance, moving behind a rocky outcrop and denying line of sight, things got a little dicey once the rover repositioned and there was still no joy. Since the helicopter has now graduated from “technology demonstration” to a full-fledged member of the team tasked with scouting locations for the rover while respecting the no-fly zone around it, it was essential to get it flying again. Several attempts to upload a flight plan failed with nothing but an acknowledgment signal from the helicopter, but a final attempt got the program uploaded and flight 50 was a complete if belated success. So that’s good, but the worrying news is that since Sol 685, the helicopter has been switching in and out of nighttime survival mode. What that portends is unclear, but no matter how amazing the engineering is, there’s only so much that can be asked on Ingenuity before something finally gives.

Continue reading “Hackaday Links: June 4, 2023”

Deciphering Queen Of Scots, Mary Stuart’s Lost Letters

First part of the cypher used by Mary Stuart and Castelnau, showing the use of homophones, special characters and more. (Credit: Lasry et al., 2023)
First part of the cypher used by Mary Stuart and Castelnau, showing the use of homophones, special characters and more. (Credit: Lasry et al., 2023)

Communications by important people over the past thousands of years have been regularly encrypted, making the breaking of this encryption both an essential and also a fascinating historical field. One recent example of an important historical discovery by codebreakers are letters dating back to 1578 through 1584 by Mary Stuart, the Queen of Scots in the 16th century. While deemed lost for centuries, researchers came across them in a stash of encrypted letters that were kept at the Bibliothèque nationale de France’s (BnF). After decrypting these 57 letters, they realized what they had come across.

Even in digitized form, they could not simply be OCRed, leaving the researchers to manually transcribe each character into the software they used to assist with the decrypting. Only during the decrypting process, they began to realize that these were not Italian communications – matching the rest of the collection of which they were part – but in fact letters by Mary and her allies. Of the 57 letters, 54 are from Mary to Castelnau, the French ambassador in London at the time.

Supporting evidence for these decrypted letters being from Mary and Castelnau came from British archives, which had clear text versions of some of the encrypted letters, dated to the years when a mole within the French embassy was leaking translated texts to the English, as part of the usual political pastime during those centuries of getting onto thrones and making other people leave them. Mary’s attempt to become not only the Queen of Scots but also Queen of England came to a tragic end with her execution in 1587 after a politically motivated show trial.

The software the researchers used primarily is called CrypTool 2, which is an open-source project that provides cryptoanalysis and related functionality. The access to the documents themselves was enabled via the DECRYPT project, resources which taken together enables virtually anyone to undertake such historical sleuthing from the comfort of their own home.

(Thanks to [Stephen Walters] for the tip)