Which Wireless is Right Wireless?

Back in the early days of Arduino proliferation (and before you ask, yes we realize there was a time before that too), wireless was a strange and foreign beast. IR communication was definitely a thing. And if you had the funds there was this cool technology called ZigBee that was available, often in funny blue house-shaped XBee boards. With even more funds and a stomach for AT commands you could even bolt on a 2G cell radio for unlimited range. WiFi existed too, but connecting it to a hobbyist ecosystem of boards was a little hairier (though maybe not for our readership).

But as cell phones pushed demand for low power wireless forward and the progression of what would become the Internet of marking Terms (the IoT, of course) began, a proliferation of options appeared for wireless communication. Earlier this week we came across a great primer on some of the major wireless technologies which was put together by Digikey earlier in the year. Let’s not bury the lede. This table is the crux of the piece:

There are some neat entries here that are a little less common (and our old friend, the oft-maligned and never market-penetrating ZigBee). It’s actually even missing some entries. Let’s break it down:

  • Extremely short range: Just NFC. Very useful for transferring small amount of sensitive information slowly, or things with high location-relevance (like between phones that are touching).
  • Short range: BLE, Zigbee, Z-Wave, etc. Handy for so-called Personal Area Networks and home-scale systems.
  • Medium/long range: Wifi, Bluetooth, Zigbee, Z-Wave, LoRaWAN: Sometimes stretching for a kilometer or more in open spaces. Useful for everything from emitting tweets to stitching together a mesh network across a forrest, as long as there are enough nodes. Some of these are also useful at shorter range.
  • Very Long range/rangeless: Sigfox, NB-IoT, LTE Category-0. Connect anywhere, usually with some sort of subscription for network access. Rangeless in the sense that range is so long you use infrastructure instead of hooking a radio up to a Raspberry Pi under your desk. Though LoRa can be a fun exception to that.

You’re unlikely to go from zero to custom wireless solution without getting down into the mud with the available dev boards for a few different common protocols, but which ones? The landscape has changed so rapidly over the years, it’s easy to get stuck in one comfortable technology and miss the appearance of the next big thing (like how LoRaWAN is becoming new cool kid these days). This guide is a good overview to help catch you up and help decide which dev kits are worth a further look. But of course we still want to hear from you below about your favorite wireless gems — past, present, and future — that didn’t make it into the list (we’re looking at you 433 MHz).

Hacker Pops Top On NFC Vending Machines

Vending machines used to be a pretty simple affair: you put some coins in, and food or drink that in all likelihood isn’t fit for human consumption comes out. But like everything else today, they are becoming increasingly complex Internet connected devices. Forget fishing around for pocket change; the Coke machine at the mall more often than not has a credit card terminal and a 30 inch touch screen display to better facilitate dispensing cans of chilled sugar water. Of course, increased complexity almost always goes hand in hand with increased vulnerability.

So when [Matteo Pisani] recently came across a vending machine that offered users the ability to pay from an application on their phone, he immediately got to wondering if the system could be compromised. After all, how much thought would be put into the security of a machine that basically sells flavored water? The answer, perhaps not surprisingly, is very little.

The write-up [Matteo] has put together is an outstanding case study in hacking Android applications, from pulling the .apk package off the phone to decompiling it into its principal components with programs like apktool and jadx. He even shows how you can reassemble the package and get it suitable for reinstallation on your device after fiddling around with the source code. If you’ve ever wanted a crash course on taking a peek inside of Android programs, this is a great resource.

By snooping around in the source code, [Matteo] was able to discover not only the location of the encrypted database that serves as the “wallet” for the user, but the routine that generates the encryption key. To cut a long story short, the program simply uses the phone’s IMEI as the key to get into the database. With that in hand, he was able to get into the wallet and give himself a nice stack of “coins” for the next time he hit the vending machines. Given his new-found knowledge of how the system works, he even came up with a separate Android app that allows adding credit to the user’s account on a rooted device.

In the video after the break, [Matteo] demonstrates his program by buying a soda and then bumping his credit back up to buy another. He ends his write-up by saying that he has reported his findings to the company that manufacturers the vending machines, but no word on what (if any) changes they plan on making. At the end of the day, you have to wonder what the cost-befit analysis looks like for a full security overhaul when when you’re only selling sodas and bags of chips.

When he isn’t liberating carbonated beverages from their capitalistic prisons, he’s freeing peripherals from their arbitrary OS limitations. We’re starting to get a good idea about what makes this guy tick.

Continue reading “Hacker Pops Top On NFC Vending Machines”

Samy Kamkar: Reverse Engineering for a Secure Future

Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door? We’ve probably all done it and felt a little dopey as a result, but when you think about it, it would be tremendously convenient, especially with grocery bags dangling off each arm and the mail clenched between your teeth. After all, we’re living in the future —  shouldn’t your house be smart enough to know when you’re home?

Reverse engineer par excellence Samy Kamkar might think so, but given his recent experiences with cars smart enough to know when you’re standing outside them, he’d probably have some reservations. Samy dropped by the 2017 Hackaday Superconference in November to discuss the finer points of exploiting security flaws in passive car entry systems, and also sat down with our own Elliot Williams after his talk for a one-on-one interview. Samy has some interesting insights on vehicle cybersecurity, but the practical knowledge he’s gained while exploring the limits of these systems teach some powerful lessons about being a real-world reverse engineer.

Continue reading “Samy Kamkar: Reverse Engineering for a Secure Future”

Homebrew SNES Mini Aims for Historical Accuracy

While “normies” are out fighting in the aisles of Walmart to snap up one of the official “Classic Mini” consoles that Nintendo lets slip out onto the market every once and awhile, hackers have been perfecting their own miniature versions of these classic gaming systems. The “Classic Mini” line is admittedly a very cool way to capitalize on nostalgic masses who have now found themselves at the age where they have disposable income, but the value proposition is kind of weak. Rather than being stuck with the handful of generation-limited games that Nintendo packed into the official products, these homebrew consoles can play thousands of ROMs from systems that stretch across multiple generations and manufacturers.

But for those old enough to remember playing on one of these systems when they first came out, these modern reincarnations always lack a certain something. It never feels quite right. That vaguely uncomfortable feeling is exactly what [ElBartoME] is aiming to eliminate with his very slick miniature SNES build. His 3D printed case doesn’t just nail the aesthetics of the original (PAL) console, but the system also uses real SNES controllers in addition to NFC “cartridges” to load different ROMs.

The project’s page on Thingiverse has all the wiring diagrams and kernel configuration info to get the internal Raspberry Pi 3 to read an original SNES controller via the GPIO pins. He also gives a full rundown on the hardware and software required to get the NFC-enabled cartridges working with EmulationStation to launch the appropriate game when inserted. Though he does admit this is quite a bit trickier than the controller setup.

[ElBartoME] has put a video up on YouTube that shows him inserting his mock cartridges and navigating the menus with an original SNES controller. If it wasn’t for the fact that the console is the size of a smartphone and the on-screen display is generations beyond what the SNES could pull off, you’d think he was playing on the real thing.

We’ve seen some incredibly impressive emulation boxes based on the Raspberry Pi, and builds which tried to embrace original hardware components, but this particular project may represent the best of both worlds.

Continue reading “Homebrew SNES Mini Aims for Historical Accuracy”

“Borrow” Payment Cards with NFC Proxy Hardware

Contactless payments are growing in popularity. Often the term will bring to mind the ability to pay by holding your phone over a reader, but the system can also use NFC tags embedded in credit cards, ID card, passports, and the like. NFC is a reasonably secure method of validating payments as it employs encryption and the functional distance between client and reader is in the tens of centimeters, and often much less. [Haoqi Shan] and the Unicorn team have reduced the security of the distance component by using a hardware proxy to relay NFC interactions over longer distances.

The talk, give on Sunday at DEF CON, outlined some incredibly simple hardware: an NFC antenna connected to a PN7462AU, an NRF24L01 wireless transceiver, and some power regulation. The exploit works by using a pair of these hardware modules. A master interfaces with the NFC reader, and a slave reads the card. The scenario goes something like this: a victim NFC card is placed near the slave hardware. The master hardware is placed over a payment kiosk as if making a normal payment. As the payment kiosk reader begins the process to read an NFC card, all of the communications between it and the actual card are forwarded over the 24L01 wireless connection.

The demo video during the talk showed a fast-food purchase made on the Apple Pay network while the card was still at a table out in the dining area (resting on the slave hardware module). The card used was a QuickPass contactless payment card from China UnionPay. According to a 2016 press release from the company, over two billion of these cards had been issued at the time. With that kind of adoption rate there is a huge incentive to find and patch any vulnerabilities in the system.

The hardware components in this build aren’t really anything special. We’ve seen these Nordic wireless modules used in numerous projects over they years, and the NXP chip is just NFC build around an ARM core. The leaps that tie this together are the speed-ups to make it work. NFC has tight timing and a delay between the master and slave would invalidate the handshake and subsequent interactions. The Unicorn team found some speedups by ensuring the chip was waking from suspend mode (150 µS) and not a deeper sleep. Furthermore, [Haoqi] mentioned they are only transmitting “I/S/R Block Data” and not the entirety of the interaction to save on time transmitting over the 24L01 wireless link. He didn’t expand on that so if you have details about what those blocks actually consist of please let us know in the comments below.

To the card reader, the emulated payment card is valid and the payment goes through. But one caveat to the system is that [Haoqi] was unable to alter the UID of the emulator — it doesn’t spoof the UID of the payment card being exploited. Current readers don’t check the UID and this could be one possible defense against this exploit. But to be honest, since you need close physical proximity of the master to the reader and the slave to the payment card simultaneously, we don’t see mayhem in the future. It’s more likely that we’ll see hacker cred when someone builds a long-range link that lets you leave your NFC cards at home and take one emulator with you for wireless door access or contactless payments in a single device. If you want to get working on this, check out the talk slides for program flow and some sourcecode hints.

Making a Wearable NFC Bus Pass

[Stephen Cognetta] is trying to get the total number of things he owns down below 115, and he’s always looking for ways to streamline his life.

Toward this goal he dissolved his SF Transit Clipper Card in acetone to get at the NFC tag embedded inside. The tag consists of a tiny chip attached to an antenna the size of the card itself. It took about three days (video below the break) for the layers to separate and [Stephen] was able to extricate the tag.

He ended up trying a few different ways of storing the delicate chip and antenna, including a lump of Sugru as well as a waterproof aspirin band, pictured to the right.

One supposes the transit pass idea might save you a little time, but what would really simplify your life would be having a single wearable tag that unlocked a bunch of things. Also it should be noted that, un-coolly, damaging a card violates SF Transit’s terms of service…

HaD has covered NFC wearables before, including the phone-unlocking NFC ring as well as the NFC ring box. This NFC-controlled infinity mirror makes great use of the technology.

Continue reading “Making a Wearable NFC Bus Pass”

Skin Bling: Wearable Electronics from Golden Temporary Tattoos

MIT Media Lab and Microsoft have teamed up to take wearable devices one step further — they’ve glued the devices directly to the user’s skin. DuoSkin is a temporary tattoo created with gold leaf. Metallic “Flash” temporary fashion tattoos have become quite popular recently, so this builds on the trend. What the team has done is to use them to create user interfaces for wearable electronic devices.

weeding-gold-leaf-temporary-tattooGenerally speaking, gold leaf is incredibly fragile. In this process to yield the cleanest looking leaf the gold is not actually cut. Instead, the temporary tattoo film and backer are cut on a standard desktop vinyl cutter. The gold leaf is then applied to the entire film surface. The cut film/leaf can then be “weeded” — removing the unwanted portions of film which were isolated from the rest by the cutting process — to complete the temporary tattoo. The team tested this method and found that traces 4.5 mm or more thick were resilient enough to last the entire day on your skin.

The gold leaf tattoos make excellent capacitive touch sensors. The team was able to create sliders, buttons, and even 2 dimensional diamond grids. These controls were used to move a cursor on a computer or phone screen. They were even able to create a wearable NFC tag. The gold leaf is the antenna, and the NFC chip itself is mounted on the temporary tattoo backer.

These devices all look great, but with the exception of the NFC chip, we’re not seeing the electronics driving them. Capacitive touch sensors used as a UI for a phone will have to have a Bluetooth radio and a battery somewhere. We’re that’s all hidden under the arm of the user. You can see what we’re taking about in the video after the break. That said, the tools and materials are ubiquitous and easy to work with. Take a quick read through the white paper (PDF) and you can be making your own version of this today.

Continue reading “Skin Bling: Wearable Electronics from Golden Temporary Tattoos”