ESP32 Hash Monster Fills Pockets With Packets

Unless you’re reading this from the middle of the ocean or deep in the forest, it’s a pretty safe bet there’s WiFi packets zipping all around you right now. Capturing them is just a matter of having the right hardware and software, and from there, you can get to work on cracking the key used to encrypt them. While such things can obviously have nefarious connotations, there are certainly legitimate reasons for auditing the strength of the wireless networks in the area.

It might not have the computational horsepower to crack any encryption itself, but the ESP32 M5Stack is more than up to the task of capturing WiFi packets if you install the Hash Monster firmware developed by [G4lile0]. Even if you don’t intend on taking things farther, this project makes finding WiFi access points and grabbing their packets a fascinating diversion with the addition of a few graphs and an animated character (the eponymous monster itself) that feeds on all those invisible 1s and 0s in the air.

There’s some excellent documentation floating around that shows you the start to finish process of popping open a WiFi network with the help of Hash Monster, but that’s only the beginning of what’s possible with this gadget. A quick search uncovers a number of software projects that make use of the specific advantages of the M5Stack compared to more traditional ESP32 boards, namely the built-in screen, buttons, and battery. We’ve even seen it used in a few builds here on Hackaday, such as this DIY thermal camera and custom shipboard computer system.

[Thanks to Manuel for the tip.]

Hacking D-Link Firmware

When [0xRickSanchez] found some D-Link firmware he couldn’t unpack, he was curious to find out why. The firmware had a new encryption method which was doing its job of preventing tampering and static analysis. Of course, he had to figure out how to get around it and is documenting his work in a series of blog posts.

Looking at the entropy analysis showed the data to be totally random,  a good sign it was either encrypted or compressed. The target router cost about $200, but a similar cheaper router used the same encryption and thus this model became the hardware of choice for testing.

Continue reading “Hacking D-Link Firmware”

Share Your Clipboard Across Machines Using MQTT

Many of us regularly move from one computer to another for work, play, and hacking; every now and then finding yourself wishing you could copy something on one machine and paste on another without additional steps in between. [Ayan Pahwa] was well acquainted with this frustration, so he created AnywhereDoor, a cross-platform clipboard sharing utility that uses MQTT.

Some cloud-based solutions already exist to do this, but that means sending your private clipboard data to someone else’s server. Not keen on that idea, [Ayan]’s solution makes use of a MQTT broker that can run anywhere on the local network, and lightweight python clients to run on Mac, Windows and Linux. The client checks your clipboard at specified intervals, and publishes new data to a topic on the broker, to which all the clients are subscribed. The data is end-to-end encrypted using Fernet symmetrical key encryption, so the data won’t be readable to anyone else on the network. Currently, AnywhereDoor only supports copying text, but media is planned for a future version.

We like the relative simplicity of the utility, and see it being very handy for hackers bouncing between machines in the lab. Simple software utilities that solve a specific and real problem can are very useful, like a wiring documentation tool, or Kicad to isolation routing patchwork converter.

Polymorphic String Encryption Gives Code Hackers Bad Conniptions

When it comes to cyber security, there’s nothing worse than storing important secret data in plaintext. With even the greenest malicious actors more than capable of loading up a hex editor or decompiler, code can quickly be compromised when proper precautions aren’t taken in the earliest stages of development. To help avoid this, encryption can be used to hide sensitive data from prying eyes. While a simple xor used to be a quick and dirty way to do this, for something really sophisticated, polymorphic encryption is a much better way to go.

A helpful tool to achieve this is StringEncrypt by [PELock]. An extension for Visual Studio Code, it’s capable of encrypting strings and data files in over 10 languages. Using polymorphic encryption techniques, the algorithm used is unique every time, along with the encryption keys themselves. This makes it far more difficult for those reverse engineering a program to decrypt important strings or data.

While the free demo is limited in scope, the price for the full version is quite reasonable, and we expect many out there could find it a useful addition to their development toolkit. We’ve discussed similar techniques before, often used to make harder-to-detect malware.

[Thanks to Dawid for the tip!]

Grey Gear: French TV Encryption, 1980s Style

Who among us didn’t spend some portion of their youth trying in vain to watch a scrambled premium cable TV channel or two? It’s a wonder we didn’t blow out our cones and rods watching those weird colors and wavy lines dance across the screen like a fever dream.

In the early days of national premium television in America, anyone who’d forked over the cash and erected a six-foot satellite dish in the backyard could tune in channels like HBO, Showtime, and the first 24-hour news network, CNN. Fed up with freeloaders, these channels banded together to encrypt their transmissions and force people to buy expensive de-scrambling boxes. On top of that, subscribers had to pay a monthly pittance to keep the de-scrambler working. Continue reading “Grey Gear: French TV Encryption, 1980s Style”

EARN IT: Privacy, Encryption, And Policing In The Information Age

You may have heard about a new bill working its way through the US congress, the EARN IT act. That’s the “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020”. (What does that mean? It means someone really wanted their initials to spell out “EARN IT”.)

EARN IT is a bipartisan bill that claims to be an effort to put a dent in child exploitation online. It’s also managed to catch the attention of the EFF, Schneier, and a variety of news outlets. The overwhelming opinion has been that EARN IT is a terrible idea, will make implementing end-to-end encryption impossible, and violates the First and Fourth Amendments. How does a bill intended to combat child pornography and sex trafficking end up on the EFF bad list? It’s complicated.

Continue reading “EARN IT: Privacy, Encryption, And Policing In The Information Age”

Can Solid Save The Internet?

We ran an article on Solid this week, a project that aims to do nothing less than change the privacy and security aspects of the Internet as we use it today. Sir Tim Berners-Lee, the guy who invented the World Wide Web as a side project at work, is behind it, and it’s got a lot to recommend it. I certainly hope they succeed.

The basic idea is that instead of handing your photos, your content, and your thoughts over to social media and other sharing platforms, you’d store your own personal data in a Personal Online Data (POD) container, and grant revocable access to these companies to access your data on your behalf. It’s like it’s your own website contents, but with an API for sharing parts of it elsewhere.

This is a clever legal hack, because today you give over rights to your data so that Facebook and Co. can display them in your name. This gives them all the bargaining power, and locks you into their service. If instead, you simply gave Facebook a revocable access token, the power dynamic shifts. Today you can migrate your data and delete your Facebook account, but that’s a major hassle that few undertake.

Mike and I were discussing this on this week’s podcast, and we were thinking about the privacy aspects of PODs. In particular, whatever firm you use to socially share your stuff will still be able to snoop you out, map your behavior, and target you with ads and other content, because they see it while it’s in transit. But I failed to put two and two together.

The real power of a common API for sharing your content/data is that it will make it that much easier to switch from one sharing platform to another. This means that you could easily migrate to a system that respects your privacy. If we’re lucky, we’ll see competition in this space. At the same time, storing and hosting the data would be portable as well, hopefully promoting the best practices in the providers. Real competition in where your data lives and how it’s served may well save the Internet. (Or at least we can dream.)

This article is part of the newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.

Want this type of article to hit your inbox every Friday morning? You should sign up!