The Badgies: Clever, Crazy, And Creative Ideas In Electronic Design

Engineering creativity comes to life when you have to design around a set of constraints. We can do just about anything with enough time, talent, and treasure, but what can you do when shackled with limitations? Some of the most creative electronic manufacturing tricks spring to life when designing conference badges, as the ability to built multiples, to come in under budget, and most importantly to have the production finished in time are all in play.

This happens at conferences throughout the year and all over the globe, but the highest concentration I’ve seen for these unique pieces of art is at DEF CON every year. I loved seeing dozens of interesting projects this year, and have picked a handful of the coolest features on a badge to show off in this article. I still love all the rest, and have a badge supercut article on the way, but until then let’s take a look at an RC car badge, a different kind of blinky bling, and a few other flourishes of brilliance.

Continue reading “The Badgies: Clever, Crazy, And Creative Ideas In Electronic Design”

NFC Business Cards To FPGA Cubes, Skull Badges To Bandoliers, Here’s The Hardware From Breakfast At DEF CON

We had our biggest Breakfast at DEF CON ever on Sunday. So big, in fact, that the carefully laid plans went awry immediately.

This is the fifth year we’ve hosted the event, which kicks off the final day of DEF CON with some hardware show-and-tell. We really thought we had it all figured out, since this time we actually booked a space in Paris hotel. For the first three years we were just banditing the space — asking everyone to show up at this place and it’ll become an event. Last year we planned to have it in the Hardware Hacking Village, but the casino stopped us from bringing in pastries that morning and we ended up camping out in a dining area that wasn’t open until the afternoon.

Last weekend we had a cafe booked, with pastries and coffee on order. The only problem is that you are all too awesome. We had a couple hundred people show up and the cafe didn’t want us standing, which limited our space to the number of booth seats available. No worries, as is the tradition we spilled out into a lounge area on the casino floor and enjoyed ourselves!

Here’s some of the hardware that showed up at this gathering.

Continue reading “NFC Business Cards To FPGA Cubes, Skull Badges To Bandoliers, Here’s The Hardware From Breakfast At DEF CON”

Hands-On: Queercon 16 Hardware Badge Shows Off Custom Membrane Keyboard

Year over year, the Queercon badge is consistently impressive. I think what’s most impressive about these badges is that they seemingly throw out all design ideas from the previous year and start anew, yet manage to discover a unique and addictive aesthetic every single time.

This year, there are two hardware badges produced by the team composed of Evan Mackay, George Louthan, Tara Scape, and Subterfuge. The one shown here is nicknamed the “Q” badge for its resemblance to the letter. Both get you into the conference, both are electronically interactive, but this one is like a control panel for an alternate reality game (ARG) that encourages interactivity and meaningful conversations. The other badge is the “C” badge. It’s more passive, yet acts as a key in the ARG — you cannot progress by interacting with only one type of badge, you must work with people sporting both badge types so that Queercon attendees who didn’t purchase the Q badge still get in on the fun.

The most striking feature on this badge is a custom membrane keyboard tailored to playing the interactive game across all badges at the conference. But I find that the eInk screen, RJ12 jack for connectivity, and the LED and bezel arrangements all came together for a perfect balance of function and art. Join me after the break for a closer look at what makes this hardware so special.

Continue reading “Hands-On: Queercon 16 Hardware Badge Shows Off Custom Membrane Keyboard”

Hackaday Podcast 031: Holonomic Drives, Badges Of DEF CON, We Don’t Do On-Chip Debugging, And Small Run Manufacturing Snafus

Mike Szczys and Kerry Scharfglass recorded this week’s podcast live from DEF CON. Among the many topics of discussion, we explore some of the more interesting ways to move a robot. From BB-8 to Holonomic Drives, Kerry’s hoping to have a proof of concept in time for Supercon. Are you using On-Chip Debugging with your projects? Neither are we, but maybe we should. The same goes for dynamic memory allocation; but when you have overpowered micros such as the chip on the Teensy 4.0, why do you need to? We close this week’s show with a few interviews with badge makers who rolled out a few hundred of their design and encountered manufacturing problems along the way. It wouldn’t be engineering without problems to solve.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Direct download (41 MB)

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 031: Holonomic Drives, Badges Of DEF CON, We Don’t Do On-Chip Debugging, And Small Run Manufacturing Snafus”

This Week In Security: Black Hat, DEF CON, And Patch Tuesday

Blackhat and DEF CON both just wrapped, and Patch Tuesday was this week. We have a bunch of stories to cover today.

First some light-hearted shenanigans. Obviously inspired by Little Bobby Tables, Droogie applied for the vanity plate “NULL”. A year went by without any problems, but soon enough it was time to renew his registration. The online registration form refused to acknowledge “NULL” as a valid license plate. The hilarity didn’t really start until he got a parking ticket, and received a bill for $12,000. It seems that the California parking ticket collection system can’t properly differentiate between “NULL” and a null value, and so every ticket without a license plate is now unintentionally linked to his plate.

In the comments on the Ars Technica article, it was suggested that “NULL” simply be added to the list of disallowed vanity plates. A savvy reader pointed out that the system that tracks disallowed plates would probably similarly choke on a “NULL” value.

Hacking an F-15

In a surprising move, Air Force officials brought samples of the Trusted Aircraft Information Download Station (TADS) from an F-15 to DEF CON. Researchers were apparently able to compromise those devices in a myriad of ways. This is a radical departure from the security-through-obscurity approach that has characterized the U.S. military for years.

Next year’s DEF CON involvement promises to be even better as the Air Force plans to bring researchers out to an actual aircraft, inviting them to compromise it in every way imaginable.

Patch Tuesday

Microsoft’s monthly dump of Windows security fixes landed this week, and it was a doozy. First up are a pair of remotely exploitable Remote Desktop vulnerabilities, CVE-2019-1222 and CVE-2019-1226. It’s been theorized that these bugs were found as part of an RDP code review launched in response to the BlueKeep vulnerability from earlier this year. The important difference here is that these bugs affect multiple versions of Windows, up to and including Windows 10.

What the CTF

Remember Tavis Ormandy and his Notepad attack? We finally have the rest of the story! Go read the whole thing, it’s a great tale of finding something strange, and then pulling it apart looking for vulnerabilities.

Microsoft Windows has a module, MSCTF, that is part of the Text Services Framework. What does the CTF acronym even stand for? That’s not clear. It seems that CTF is responsible for handling keyboard layouts, and translating keystrokes based on what keyboard type is selected. What is also clear is that every time an application builds a window, that application also connects to a CTF process. CTF has been a part of Microsoft’s code base since at least 2001, with relatively few code changes since then.

CTF doesn’t do any validation, so an attacker can connect to the CTF service and claim to be any process. Tavis discovered he could effectively attempt to call arbitrary function pointers of any program talking to the same CTF service. Due to some additional security measures built into modern Windows, the path to an actual compromise is rather convoluted, but by the end of the day, any CFT client can be compromised, including notepad.

The most interesting CFT client Tavis found was the login screen. The exploit he demos as part of the write-up is to lock the computer, and then compromise the login in order to spawn a process with system privileges.

The presence of this unknown service running on every Windows machine is just another reminder that operating systems should be open source.

Biostar 2

Biostar 2 is a centralized biometric access control system in use by thousands of organizations and many countries around the globe. A pair of Israeli security researchers discovered that the central database that controls the entire system was unencrypted and unsecured. 23 Gigabytes of security data was available, including over a million fingerprints. This data was stored in the clear, rather than properly hashed, so passwords and fingerprints were directly leaked as a result. This data seems to have been made available through an Elasticsearch instance that was directly exposed to the internet, and was found through port scanning.

If you have any exposure to Biostar 2 systems, you need to assume your data has been compromised. While passwords can be changed, fingerprints are forever. As biometric authentication becomes more widespread, this is an unexplored side effect.

Hackaday Links: August 11, 2019

By the time this goes to press, DEFCON 27 will pretty much be history. But badgelife continues, and it’d be nice to have a way of keeping track of all the badges offered. Martin Lebel stepped up to the challenge with a DEF CON 27 badgelife tracker. He’s been tracking the scene since March, and there are currently more than 170 badges, tokens, and shitty add-ons listed. Gotta catch ’em all!

Nice tease, Reuters. We spotted this story about the FAA signing off on beyond-visual-line-of-sight, or BVLOS, operation of a UAV. The article was accompanied by the familiar smiling Amazon logo, leading readers to believe that fleets of Amazon Prime Air drones would surely soon darken the skies with cargoes of Huggies and Tide Pods across the US. It turns out that the test reported was conducted by the University of Alaska Fairbanks along an oil pipeline in the Last Frontier state, and was intended to explore medical deliveries and pipeline surveillance for the oil industry. The only mention of Amazon was that the company reported they’d start drone deliveries in the US “in months.” Yep.

Ever wonder what it takes to get your widget into the market? Between all the testing and compliance requirements, it can be a real chore. Nathaniel tipped us off to a handy guide written by his friend Skippy that goes through the alphabet soup of agencies and regulations needed to get a product to market – CE, RoHS, WEEE, LVD, RED, CE for EMC. Take care of all that paperwork and you’ll eventually get a DoC and be A-OK.

A French daredevil inventor made the first crossing of the English Channel on a hoverboard on Sunday. Yes, we know it’s not an “actual” hoverboard, but it’s as close as we’re going to get with the physics we have access to right now, and being a stand-upon jet engine powered by a backpack full of fuel, it qualifies as pretty awesome. The report says it took him a mere 20 minutes to make the 22-mile (35-km) crossing.

We had a grand time last week around the Hackaday writing crew’s secret underground lair with this delightful Hackaday-Dilbert mashup-inator. Scroll down to the second item on the page and you’ll see what appears to be a standard three-panel Dilbert strip; closer inspection reveals that the text has been replaced by random phrases scraped from a single Hackaday article. It looks just like a Dilbert strip, and sometimes the text even makes sense with what’s going on in the art. We’d love to see the code behind this little gem. The strip updates at each page load, so have fun.

And of course, the aforementioned secret headquarters is exactly what you’d picture – a dark room with rows of monitors scrolling green text, each with a black hoodie-wearing writer furiously documenting the black arts of hacking. OpenIDEO, the “open innovation practice” of global design company IDEO, has issued a challenge to “reimagine a more compelling and relatable visual language for cybersecurity.” In other words, no more scrolling random code and no more hoodies. Do you have kinder, gentler visual metaphors for cybersecurity? You might win some pretty decent prizes for your effort to “represent different terms and ideas in the cybersecurity space in an accessible and compelling way.”

New Bluetooth 5 Channel Hopping Reverse Engineered For Jamming And Hijacking

Bluetooth Low Energy (BLE) 5 has been around since 2016 with the most recent version 5.2 published just this year. There’s not much hardware out there that’s using the new hotness. That didn’t stop [Damien Cauquil] from picking apart BLE 5’s new frequency hopping techniques and updating his BtleJack tool to allow sniffing, jamming and hijacking hardware using the new protocol.

As you can imagine, the BLE standard a complicated beast and just one part of it is the topic here: the PRNG-based frequency hopping scheme that is vastly different from BLE 4.x and earlier. The new standard, called Channel Selection Algorithm (CSA) #2 — uses 65535 possible channels, compared to just 37 channels used by its predecessor. Paired devices agree to follow a randomized list of all possible channels in sequence so that they remain in synchronization between hops. This was put in place to help avoid collisions, making it possible for many more BLE devices to operate in close proximity. This is important to note since it quickly becomes obvious that it’s not a robust security measure by any means.

To begin channel hopping the two devices must first agree on an order in which to hop, ensuring they’ll meet one another after each leap. To do so they both run the same 32-bit seed number through a PRNG algorithm, generating a list that will then be followed exactly in order. But it turns out this is not very difficult to figure out. All that’s needed is the access address whose top 16-bits are publicly available if you’re already sniffing packets, and the bottom 16-bits is the counter that increments the hop address list.

If you want to jam or hijack BLE 5 communication you need to establish which “randomized” channel list is being used, and the value of the counter that serves as an index to this list. To do so, [Damien] sniffs packets on two different channels. These channels will be used over and over again as it loops through the channel list, so calculating how much time occurs between each channel indicates how far apart these channels are on the list.

In practice, [Damien] first implemented a sieve (the same concept as the Sieve of Eratosthenes for finding primes) that starts with a list of all possibilities and removes those that don’t contain a matching timing between the two channels. Keep doing this, and eventually, you’ll whittle your list down to one possible channel order.

This certainly worked, but there were timing issues that sometimes meant you could learn the seed but couldn’t then sync with it after the fact. His second approach uses pattern matching. By measuring hops on 11 consecutive channels, he’s able to synchronize with target devices in a minute or less. From there, jamming or hijacking methods come into play. The randomization of this scheme is really marginal. A more robust technique would have used an internal state in both devices to generate the next hopping channel. This would have been much more difficult for an attacker to figure out. From the device perspective, CSA #2 takes very little computation power which is key for power-sipping IoT devices most often using BLE.

As mentioned before, [Damien] had trouble finding any hardware in the wild using the BLE 5 standard. His proof of concept is built on a pair of nRF52840 development boards. Because it needs more testing, the code hasn’t been merged into the main version of BtleJack, but you can still get it right now by heading over to BtleJack repo on GitHub.