Hackaday Links: October 18, 2020

Remember subliminal advertising? The idea was that a movie theater operator would splice a single frame showing a bucket of hot buttered popcorn into a movie, which moviegoers would see and process on a subconcious level and rush to the concession stand to buy the tub o’ petrochemical-glazed starch they suddenly craved. It may or may not work on humans, but it appears to work on cars with advanced driver assistance, which can be spoofed by “phantom street signs” flashed on electronic billboards. Security researchers at Ben Gurion University stuck an image of a stop sign into a McDonald’s ad displayed on a large LCD screen by the side of the road. That was enough to convince a Tesla Model X to put on the brakes as it passed by the sign. The phantom images were on the screen anywhere from an eighth of a second to a quarter second, so these aren’t exactly subliminal messages, but it’s still an interesting attack that bears looking into. And while we’re skeptical about the whole subliminal advertising thing in the first place, for some reason we really want a bacon cheeseburger right now.

Score one for the good guys in the battle against patent trolls. Mycroft AI, makers of open-source voice assistants, proudly announced their latest victory against what they claim are patent trolls. This appears to be one of those deals where a bunch of investors get together and buy random patents, and then claim that a company that actually built something infringes on their intellectual property. Mycroft got a letter from one such entity and decided to fight it; they’ve won two battles so far against the alleged trolls and it looks pretty good going forward. They’re not pulling their punches, either, since Mycroft is planning to go after the other parties for legal expenses and punitive damages under the State of Missouri’s patent troll legislation. Here’s hoping this sends a message to IP squatters that it may not be worth the effort and that their time and money are better spent actually creating useful things.

Good news from Mars — The Mole is finally completely buried! We’ve been following the saga of the HP³, or “Heat Flow and Physical Properties Package” aboard NASA’s Mars InSight lander for quite a while. The self-drilling “Mole”, which is essentially the guts of an impact screwdriver inside a streamlined case, has been having trouble dealing with the Martian regolith, which is simultaneously too soft to offer the friction needed to keep the penetrator in its hole, but also too hard to pierce in places where there is a “duricrust” of chemically amalgamated material below the surface. It took a lot of delicate maneuvers with the lander’s robotic arm to get the Mole back on track, and it’s clearly not out of the woods yet — it needs to get down to three meters depth or so to do the full program of science it was designed for.

If watching Martian soil experiments proceed doesn’t scratch your itch for space science, why not try running your own radio astronomy experiments? Sure, you could build your own radio telescope to do that, but you don’t even have to go that far — just log into PICTOR, the free-to-use radio telescope. It’s a 3.2-m parabolic dish antenna located near Athens, Greece that’s geared toward hydrogen line measurements of the galaxy. You can set up an observation run and have the results mailed back to you for later analysis.

Here’s a fun, quick hack for anyone who hates the constant drone of white noise coming from fans. Build Comics apparently numbers themselves among that crowd, and decided to rig up a switch to turn on their fume extractor only when the soldering iron is removed from its holder. This hack was executed on a classic old Weller soldering station, but could easily be adapted to Hakko or other irons

And finally, if you’ve never listened to a Nobel laureate give a lecture, here’s your chance. Andrea Ghez, co-winner of the 2020 Nobel Prize in physics for her work on supermassive black holes, will be giving the annual Maria Goeppert Mayer lecture at the University of Chicago. She’ll be talking about exactly what she won the Nobel for: “The Monster at the Heart of Our Galaxy”, the supermassive black hole Sagittarius A*. We suspect the talk was booked before the Nobel announcement, so in normal times the room would likely be packed. But one advantage to the age of social distancing is that everything is online, so you can tune into a livestream of the lecture on October 22.

Breaking Smartphone NFC Firmware: The Gory Details

Near-field Communication (NFC) has been around a while and is used for example in access control, small data exchange, and of course in mobile payment systems. With such sensitive application areas, security is naturally a crucial element of the protocol, and therefore any lower-level access is usually heavily restricted and guarded.

This hardware is especially well-guarded in phones, and rooting your Android device won’t be of much help here. Well, that was of course only until [Christopher Wade] took a deep look into that subject, which he presented in his NFC firmware hacking talk at for this year’s DEF CON.

But before you cry out “duplicate!” in the comments now, [Jonathan Bennett] has indeed mentioned the talk in a recent This Week In Security article, but [Christopher] has since written up the content of his talk in a blog post that we thought deserves some additional attention.

To recap: [Christopher] took a rooted Samsung S6 and searched for vulnerabilities in the NFC chip’s safe firmware update process, in hopes to run a custom firmware image on it. Obviously, this wouldn’t be worth mentioning twice if he hadn’t succeeded, and he goes at serious length into describing how he got there. Picking a brain like his by reading up on the process he went through — from reverse engineering the firmware to actually exploiting a weakness that let him run his own code — is always fascinating and downright fun. And if you’re someone who prefers the code to do the talking, the exploits are on GitHub.

Naturally, [Christopher] disclosed his findings to Samsung, but the exploited vulnerability — and therefore the ability to reproduce this — has of course been out there for a long time already. Sure, you can use a Proxmark device to attack NFC, or the hardware we saw a few DEF CONs back, but a regular-looking phone will certainly raise a lot less suspicion at the checkout counter, and might open whole new possibilities for penetration testers. But then again, sometimes a regular app will be enough, as we’ve seen in this NFC vending machine hack.

Continue reading “Breaking Smartphone NFC Firmware: The Gory Details”

Eavesdropping On Satellites For Fun And Profit

Geosynchronous satellites, girdling the Earth from their perches 36,000 km above the equator, are remarkably useful devices. Depending on where they’re parked, they command views of perhaps a third of the globe at a time, making them perfect communications relays. But as [James Pavur] points out in his DEF CON Safe Mode talk, “Whispers Among the Stars”, geosynchronous satellite communication links are often far from secure.

[James], a D. Phil. student in Systems Security at Oxford University, relates that his exploits rely on the wide areas covered by the downlink signals from the satellites, coupled with security as an afterthought, if it was even thought of at all by satellite service providers. This lackadaisical approach let him use little more than a regular digital satellite TV dish and a tuner card for a PC — off-the-shelf stuff that you’d really have to try hard to spend more than $300 on — to tap into sensitive information.

While decoding the digital signals from satellites into something parseable can be done with commercial applications, [James] and his colleagues built a custom tool, GSExtract, to pull data from the often noisy signals coming down from on high. The setup returned an amazing bounty of information, like maritime operators relaying the passport information of crew members from ship to shore, point-of-sale terminal information from cruise ships in the Mediterranean, and in-flight entertainment systems in jet airliners. The last example proved particularly alarming, as it revealed an exploitable connection between the systems dedicated to keeping passengers content and those in the cockpit, which clearly should not be the case.

We found [James’] insights on these weaknesses in satellite communications fascinating, and it’s well worth the 45 minutes to watch the video below and perhaps try these exploits, which amount to side-channel attacks, for yourself.

Continue reading “Eavesdropping On Satellites For Fun And Profit”

Side-Channel Attack Turns Power Supply Into Speakers

If you work in a secure facility, the chances are pretty good that any computer there is going to be stripped to the minimum complement of peripherals. After all, the fewer parts that a computer has, the fewer things that can be turned into air-gap breaching transducers, right? So no printers, no cameras, no microphones, and certainly no speakers.

Unfortunately, deleting such peripherals does you little good when [Mordechai Guri] is able to turn a computer power supply into a speaker that can exfiltrate data from air-gapped machines. In an arXiv paper (PDF link), [Guri] describes a side-channel attack of considerable deviousness and some complexity that he calls POWER-SUPPLaY. It’s a two-pronged attack with both a transmitter and receiver exploit needed to pull it off. The transmitter malware, delivered via standard methods, runs on the air-gapped machine, and controls the workload of the CPU. These changes in power usage result in vibrations in the switch-mode power supply common to most PCs, particularly in the transformers and capacitors. The resulting audio frequency signals are picked up by a malware-infected receiver on a smartphone, presumably carried by someone into the vicinity of the air-gapped machine. The data is picked up by the phone’s microphone, buffered, and exfiltrated to the attacker at a later time.

Yes, it’s complicated, requiring two exploits to install all the pieces, but under the right conditions it could be feasible. And who’s to say that the receiver malware couldn’t be replaced with the old potato chip bag exploit? Either way, we’re glad [Mordechai] and his fellow security researchers are out there finding the weak spots and challenging assumptions of what’s safe and what’s vulnerable.

Continue reading “Side-Channel Attack Turns Power Supply Into Speakers”

GPU Turned Into Radio Transmitter To Defeat Air-Gapped PC

Another week, another exploit against an air-gapped computer. And this time, the attack is particularly clever and pernicious: turning a GPU into a radio transmitter.

The first part of [Mikhail Davidov] and [Baron Oldenburg]’s article is a review of some of the basics of exploring the RF emissions of computers using software-defined radio (SDR) dongles. Most readers can safely skip ahead a bit to section 9, which gets into the process they used to sniff for potentially compromising RF leaks from an air-gapped test computer. After finding a few weak signals in the gigahertz range and dismissing them as attack vectors due to their limited penetration potential, they settled in on the GPU card, a Radeon Pro WX3100, and specifically on the power management features of its ATI chipset.

With a GPU benchmarking program running, they switched the graphics card shader clock between its two lowest power settings, which produced a strong signal on the SDR waterfall at 428 MHz. They were able to receive this signal up to 50 feet (15 meters) away, perhaps to the annoyance of nearby hams as this is plunk in the middle of the 70-cm band. This is theoretically enough to exfiltrate data, but at a painfully low bitrate. So they improved the exploit by forcing the CPU driver to vary the shader clock frequency in one megahertz steps, allowing them to implement higher throughput encoding schemes. You can hear the change in signal caused by different graphics being displayed in the video below; one doesn’t need much imagination to see how malware could leverage this to exfiltrate pretty much anything on the computer.

It’s a fascinating hack, and hats off to [Davidov] and [Oldenburg] for revealing this weakness. We’ll have to throw this on the pile with all the other side-channel attacks [Samy Kamkar] covered in his 2019 Supercon talk.

Continue reading “GPU Turned Into Radio Transmitter To Defeat Air-Gapped PC”

Fail Of The Week: Padlock Purports To Provide Protection, Proves Pathetic

Anyone in the know about IoT security is likely to steer clear of a physical security product that’s got some sort of wireless control. The list of exploits for such devices is a long, sad statement on security as an afterthought, if at all. So it’s understandable if you think a Bluetooth-enabled lock is best attacked via its wireless stack.

As it turns out, the Master 5440D Bluetooth Key Safe can be defeated in a few minutes with just a screwdriver. The key safe is the type a realtor or AirBnB host would use to allow access to a property’s keys. [Bosnianbill] embarked on an inspection of the $120 unit, looking for weaknesses. When physical attacks with a hammer and spoofing the solenoids with a magnet didn’t pay off, he decided to strip off the resilient skin that Master so thoughtfully provided to prevent the box from marring the finish of a door or gate. The denuded device thus revealed its awful secret: two Phillips screws, each securing a locking shackle to the cover. Once those are loose, a little prying with a screwdriver is all that’s need to get the keys to the kingdom.

In a follow-up video posted later, [Bill] took a closer look at another key safe and found that Master had made an anemic effort to fix this vulnerability with a squirt of epoxy in each screw head. It’s weak, at best, since a tap with a hammer compresses the gunk enough to get a grip on the screw.

We really thought [Bosnianbill]’s attack would be electronic, like that time [Dave Jones] cracked a safe with an oscilloscope. Who’d have thought a screwdriver would be the best way past the wireless stack?

Continue reading “Fail Of The Week: Padlock Purports To Provide Protection, Proves Pathetic”

Hackaday Links: November 17, 2019

Friday, November 15, 2019 – PASADENA. The 2019 Hackaday Superconference is getting into high gear as I write this. Sitting in the Supplyframe HQ outside the registration desk is endlessly entertaining, as attendees pour in and get their swag bags and badges. It’s like watching a parade of luminaries from the hardware hacking world, and everyone looks like they came ready to work. The workshops are starting, the SMD soldering challenge is underway, and every nook and cranny seems to have someone hunched over the amazing Hackaday Superconference badge, trying to turn it into something even more amazing. The talks start on Saturday, and if you’re not one of the lucky hundreds here this weekend, make sure you tune into the livestream so you don’t miss any of the action.

The day when the average person is able to shoot something out of the sky with a laser is apparently here. Pablo, who lives in Argentina, has beeing keeping tabs on the mass protests going on in neighboring Chile. Huge crowds have been gathering regularly over the last few weeks to protest inequality. The crowd gathered in the capital city of Santiago on Wednesday night took issue with the sudden appearance of a police UAV overhead. In an impressive feat of cooperation, they trained 40 to 50 green laser pointers on the offending drone. The videos showing the green beams lancing through the air are quite amazing, and even more amazing is the fact that the drone was apparently downed by the lasers. Whether it was blinding the operator through the FPV camera or if the accumulated heat of dozens of lasers caused some kind of damage to the drone is hard to say, and we’d guess that the drone was not treated too kindly by the protestors when it landed in the midsts, so there’s likely not much left of the craft to do a forensic analysis, which is a pity. We will note that the protestors also trained their lasers on a police helicopter, an act that’s extremely dangerous to the human pilots which we can’t condone.

In news that should shock literally nobody, Chris Petrich reports that there’s a pretty good chance the DS18B20 temperature sensor chips you have in your parts bin are counterfeits. Almost all of the 500 sensors he purchased from two dozen vendors on eBay tested as fakes. His Github readme has an extensive list that lumps the counterfeits into four categories of fake-ness, with issues ranging from inaccurate temperature offsets to sensors without EEPROM that don’t work with parasitic power. What’s worse, a lot of the fakes test almost-sorta like authentic chips, meaning that they may work in your design, but that you’re clearly not getting what you paid for. The short story to telling real chips from the fakes is that Maxim chips have laser-etched markings, while the imposters sport printed numbers. If you need the real deal, Chris suggests sticking with reputable suppliers with validated supply chains. Caveat emptor.

A few weeks back we posted a link to the NXP Homebrew RF Design Challenge, which tasked participants to build something cool with NXP’s new LDMOS RF power transistors. The three winners of the challenge were just announced, and we’re proud to see that Razvan’s wonderfully engineered broadband RF power amp, which we recently featured, won second place. First place went to Jim Veatch for another broadband amp that can be built for $80 using an off-the-shelf CPU heatsink for thermal management. Third prize was awarded to a team lead by Weston Braun, which came up with a switch-mode RF amp for the plasma cavity for micro-thrusters for CubeSats, adorably named the Pocket Rocket. We’ve featured similar thrusters recently, and we’ll be doing a Hack Chat on the topic in December. Congratulations to the winners for their excellent designs.