Harmony Hub Hacked and Patched

When we say “hack” here we most often mean either modifying something to do something different or building something out of parts. But as we build more Internet-connected things, it is worthwhile to think about the other kind of hack where people gain unauthorized access to a system. For example, you wouldn’t think a remote control would be a big deal for hackers. But the Logitech Harmony Hub connects to the Internet and runs Linux. What’s more is it can control smart devices like door locks and thermostats, so hacking it could cause problems. FireEye’s Mandian Red Team set out to hack the Harmony and found it had a lot of huge security problems.

The remote didn’t check Logitech’s SSL certificate for validity. It didn’t have a secure update process. There were developer tools (an SSH server) left inactive in the production firmware and — surprisingly — the root password was blank! The team shared their findings with Logitech before publishing the report and the latest patch from the company fixes these problems. But it is instructive to think about how your Raspberry Pi project would fare under the same scrutiny.

In fact, that’s the most interesting part of the story is the blow-by-blow description of the attack. We won’t spoil the details, but the approach was to feed the device a fake update package that turned on a dormant ssh server. Although they started by trying to solder wires to a serial port, that wasn’t productive and the final attack didn’t require any of that.

We’ve looked at some ways to harden Linux systems like the Raspberry Pi before, but honestly, it is an ongoing battle. We’ve seen plenty of devices with cybersecurity holes in them — some not found by good guy hackers first.

Wireless Protocol Reverse Engineered to Create Wrist Wearable Mouse

We’ve seen a few near-future sci-fi films recently where computers respond not just to touchscreen gestures but also to broad commands, like swiping a phone to throw its display onto a large flat panel display. It’s a nice metaphor, and if we’re going to see something like it soon, perhaps this wrist-mounted pointing device will be one way to get there.

The video below shows the finished product in action, with the cursor controlled by arm movements. Finger gestures that are very much like handling a real mouse’s buttons are interpreted as clicks. The wearable has a Nano, an MPU6050 IMU, and a nRF24L01 transceiver, all powered by some coin cells and tucked nicely into a 3D-printed case. To be honest, as cool as [Ronan Gaillard]’s wrist mouse is, the real story here is the reverse engineering he and his classmate did to pull this one off.

The road to the finished product was very interesting and more detail is shared in their final presentation (in French and heavy with memes). Our French is sufficient only to decipher “Le dongle Logitech,” but there are enough packet diagrams supporting into get the gist. They sniffed the packets going between a wireless keyboard and its dongle and figured out how to imitate mouse movements using an NRF24 module. Translating wrist and finger movements to cursor position via the 6-axis IMU involved some fairly fancy math, but it all seems to have worked in the end, and it makes for a very impressive project.

Is sniffing wireless packets in your future? Perhaps this guide to Wireshark and the nRF24L01 will prove useful.

Continue reading “Wireless Protocol Reverse Engineered to Create Wrist Wearable Mouse”

Remote Controlled Streaming Speakers

For want of a better use of a spare Raspberry Pi Zero W and a set of LogitechZ-680 surround sound speakers, [Andre van Kammen] hacked them together to make them stream music playing from his phone.

It was stumbling across the Pi Music Box distribution that really got the ball rolling, and the purchase of a pHAT DAC laid the foundation. Cracking open the speakers’ controller case, [Kammen] was able to get 5V of power off some terminals even when the speakers were on standby — awesome! — which the Pi could use. Power and volume are controlled via the Pi’s GPIO pins with a diode to drop the voltage and prevent shorts.

Now, how to tell whether the speakers are on or off? Well, a pin on the display connector changes to 4.3V when it’s on, so wiring a 10k resistor and a diode to said pin is a hackable solution. Finishing off the wired connections, it proved possible to cram the pHAT DAC inside the controller case with the GPIO header sticking out the back to mount the Pi upon with no other external wires — double awesome!

Continue reading “Remote Controlled Streaming Speakers”

PC In A Mouse

[Slider2732] got his Orange Pi Zero working with a 3 watt amplifier, wireless keyboard (with built-in mouse), and car reversing monitor. But he needed a case to house it in. He remembered that he used to make parameters for ghost hunting by filling PC mouse cases with all sorts of electronics. So why not put the Orange Pi Zero in a mouse too? Looking through his mouse collection, he picked out an old Logitech optical mouse and went to work.

We like that the Logitech has transparent bottom halves, perfect for proving to anyone who might be skeptical that the PC really is in the mouse. A great enhancement we think would be to make the mouse actually be the mouse too! But there doesn’t seem to be enough room left for that. What’s smaller than a Pi Zero that will also run the armbian Linux distribution, OpenELEC Mediacenter, Kodi and a bunch of games?

He even set up the wireless networking for watching YouTube videos. Check out the build and demo video after the break.

Continue reading “PC In A Mouse”

Unexpected Betrayal From Your Right Hand Mouse

Some people really enjoy the kind of computer mouse that would not be entirely out of place in a F-16 cockpit. The kind of mouse that can launch a browser with the gentle shifting of one of its thirty-eight buttons ever so slightly to the left and open their garage door with a shifting to the right of that same button. However, can this power be used for evil, and not just frustrating guest users of their computer?

We’ve heard of the trusted peripheral being repurposed for nefarious uses before. Sometimes they’ve even been modified for more benign purposes. All of these have a common trend. The mouse itself must be physically modified to add the vulnerability or feature. However, the advanced mice with macro support can be used as is for a vulnerability.

The example in this case is a Logitech G-series gaming mouse. The mouse has the ability to store multiple personal settings in its memory. That way someone could take the mouse to multiple computers and still have all their settings available. [Stefan Keisse] discovered that the 100 command limit on the macros for each button are more than enough to get a full reverse shell on the target computer.

Considering how frustratingly easy it can be to accidentally press an auxiliary button on these mice, all an attacker would need to do is wait after delivering the sabotaged mouse. Video of the exploit after the break.

Continue reading “Unexpected Betrayal From Your Right Hand Mouse”

Fixing A Complicated Scrollwheel

[Thomas] loves his Logitech MX Master mouse, which has a pretty elaborate scroll-wheel mechanism. Perhaps too elaborate; it broke on him after a week of use, just when he was getting used to the feature. So what did he do? Took it apart and fixed it, naturally. And as a bonus, we get a guided tour of the interesting mechanism. Check out his video below to watch it in action.

The weighted scroll wheel switches between two different modes, one with a detent like you’re probably used to, and one where the wheel is allowed to spin freely for long-distance travel. And to do this, it’s actually got a little motor inside that rotates a cam and throws a lever into the side of the scroll wheel for the detent mode, and pulls the lever out of the way for free spins. It must also have some logic inside that detects how quickly the scroller is spun because it re-engages as soon as the scroll wheel stops.

Continue reading “Fixing A Complicated Scrollwheel”

Controlling Quadcopters With Wireless Mouse Dongles

Last week we gave away a few Crazyflie 2.0 quadcopters to some cool Hackaday Prize entries. This quadcopter ships with the intention of being controlled by your smartphone. But it can also be controlled by a PC with USB dongle and an nRF24LU1+ SOC. [ajlitt] didn’t figure out he wanted the USB dongle (the Crazyradio) that can control this quad until after he used his gift code to claim his Crazyflie quad. No matter; the dongles for Logitech wireless keyboards and mice use the same radio as the Crazyflie and can be modded to make this quad fly.

The board inside the Logitech unifying receiver is a simple affair, with some pads for the USB connector, a crystal, the nRF24LU1+ radio module, and a few passives. To get this radio chip working with his computer, [ajlitt] simply needed to break out the SPI pins and wire everything to a Bus Pirate.

Getting the Crazyradio firmware onto this proved to be a little harder than soldering some magnet wire onto a few pins. The chip was first flashed without a bootloader, a full image with the bootloader was found, after wrangling a single byte into place, [ajlitt] had a working Crazyflie radio made from a wireless mouse dongle. The range isn’t great  – only 30 feet or so, or about as far as you would expect a wireless mouse to work. Excellent work, even if [ajlitt] is temporarily without a mouse.

The Crazyflie 2.0 is available from the Hackaday Store, along with the add-ons if you don’t want to hack your own.