This Week In Security: USB Cable Kia, Reddit, And Microsoft RCEs

There is vulnerability in many Hyundai and Kia vehicles, where the ignition switch can be bypassed with a USB cable. And it’s getting a patch rollout right now, but it’s not a USB vulnerability, in quite the way you might think. In most cars, the steering column is easily disassembled, but these vehicles have an extra-bad design problem. The ignition cylinder can be disassembled while locked, just by depressing a pin.

Physical security has some parallels to computer security, and one such parallel is that good security can often be bypassed by a simple mistake. When it comes to lock design, one such potential bypass is the ability to disassemble a lock while it’s still locked. And somehow, Kias after 2010, and Hyundais after 2015 were made with exactly this flaw. The lock could be disassembled, and the interface between the lock and the ignition switch just happens to be the right shape and size for USB A. Oh, and these cars don’t have an engine immobilizer — there isn’t a chip built into the keys for extra security.

The problem became widespread late last year when the flaw went viral on TikTok, and thousands of copycat crimes were inspired. Beyond the obvious problem, that teenagers were getting an early start on a life of crime with grand theft auto, there were at least 8 deaths directly attributed to the inane stunt. And this brings us back to this week’s news, that a software update is rolling out to address the issue.

Honestly, I have questions. A software update doesn’t add in-key security chips. At best, it could attempt to detect the key position, and sabotage the engine management control, in an ad-hoc immobilizer. That’s likely a paper clip-turned-jumper away from being bypassed. The other new feature, doubling the alarm time from 30 second to a minute, doesn’t inspire much confidence. Hopefully the changes are enough to kill the trend. Continue reading “This Week In Security: USB Cable Kia, Reddit, And Microsoft RCEs”

Hackaday Links Column Banner

Hackaday Links: February 12, 2023

So, maybe right now isn’t the best time to get into the high-altitude ballooning hobby? At least in the US, which with the downing of another — whatever? — over Alaska, seems to have taken a “Sidewinders first, threat identification later” approach to anything that floats by. The latest incident involved an aircraft of unknown type, described as “the size of a small car” — there’s that units problem again — that was operating over Prudhoe Bay off the northern coast of Alaska. The reason that was given for this one earning a Sidewinder was that it was operating much lower than the balloon from last week, only about 40,000 feet, which is well within the ceiling of commercial aviation. It was also over sea ice at the time of the shootdown, making the chance of bothering anyone besides a polar bear unlikely. We’re not taking any political position on this whole thing, but there certainly are engineering and technical aspects of these shootdowns that are pretty interesting, as well as the aforementioned potential for liability if your HAB goes astray. Nobody ever really benefits from having an international incident on their resume, after all.

Continue reading “Hackaday Links: February 12, 2023”

Custom Reddit Keyboard Only Needs One Hand

Sometimes you might want to browse your favorite social media site while eating a sandwich, or throwing darts, or fending off an attacker with a sword. You know, normal things that might occupy only one of your hands. If you’ve ever found yourself in such a situation, then this custom Reddit keyboard could be for you.

Built by [jangxx], this little board is about as simple as it gets. Even if you aren’t looking for a way to browse /r/cooking while practicing your single-handed egg cracking technique, the same principles could be used to quickly throw together a macro keyboard for whatever your particular needs might be.

Inside the 3D printed enclosure is nothing more exotic than an Arduino Pro Micro and five Cherry MX Red switches. The switches have been wired directly to the GPIO pins on the Arduino, and a simple Sketch takes care of the rest. [jangxx] has written the code in such a way that you can easily define the mapping of USB HID keys to physical switches right at the top of the file, making it easy to reuse for your own purposes.

As simple as this project is, we really like the trouble that [jangxx] went through on the 3D printed key caps. The white up and down arrows allow you to navigate through the posts, and the center key selects the one you want to view. Since it’s for Reddit, naturally the red and blue buttons for rapid voting. When you want to go back to the list of posts, just hit the center button again.

Back in 2011 we saw a dedicated Reddit voting peripheral, but we think the addition of simple navigation keys makes this project a bit more compelling. Incidentally, if you can think of any other reason you might want a one-handed keyboard for browsing Reddit…we definitely don’t want to hear about it.

Burn Some Time With This Arduino Reddit Browser

If you’re like us, you probably spend more time browsing Reddit than you’d like to admit to your friends/family/boss/therapist. A seemingly endless supply of knowledge, wisdom, and memes; getting stuck on Reddit is not unlike looking something up on Wikipedia and somehow managing to spend the next couple hours just clicking through to new pages. But we’re willing to bet that none of us love browsing Reddit quite as much as [Saad] does.

He writes in to tell us about the handheld device he constructed which lets him view random posts from the popular /r/showerthoughts sub. Each press of the big red button delivers another slice of indispensable Internet wisdom, making it a perfect desk toy to fiddle with when you need a little extra push to get you through the day. Like one of those “Word a Day” calendars, but one that you’ll actually read.

For those curious as to how [Saad] is scraping Reddit with an Arduino, the short answer is that he isn’t. Posts are pulled from Reddit using an online tool created for the project by his wife (/r/relationshipgoals/), and dumped into a text file that can be placed on the device’s SD card. With 1500 of the all-time highest rated posts from /r/showerthoughts onboard, he should be good on content for awhile.

[Saad] has done an excellent job documenting the hardware side of this build, providing plenty of pictures as well as a list of the parts he used and a few tips to help make assembly easier. Overall it’s not that complex a project, but his documentation is a big help for those who might not live and breathe this kind of thing.

For the high-level summary: it uses an Arduino Pro Mini, a ILI9341 screen, and a 3.3 V regulator to step down 5 V USB instead of using batteries. A bit of perfboard, a 3D printed case, and a suitably irresistible big red button pulls the whole thing together.

We’ve seen a similar concept done in a picture frame a couple of years back, but if that’s not interactive enough you could always build yourself a Reddit “controller”.

How To Hack Your Own Password

[Haseeb] failed the marshmallow test as a kid. He has no self-control. He wastes a lot of time on reddit. There is a solution to this problem — simply lock yourself out of your account. The process is simple, and all you need to do is change your password to something random, change the recovery email address, and click submit. In the blink of an eye, all your imaginary Internet points vanish.

That’s the one guaranteed way to quit reddit. However, [Haseeb] wanted to hold onto those magic Internet points in the event they become worth something. This led to a far more baroque solution. He found a service that would email him at a later date, send an email to himself containing a random password, and quit reddit temporarily. Until that email was delivered, he was officially off reddit. When that email was received, productivity would stop.

A few years pass, and [Haseeb] had some time to kill at his new job. He decided to scrounge up his old password, only to discover he locked himself out of his Reddit account until 2018. What followed is a security exploit of an ’email me in the future’ service, and a great example of how much effort one person will commit to a lifetime of instant gratification.

The email service in question is LetterMeLater, a site that will send an email at some arbitrary point in the future. You can hide the body of the email from yourself, making this a fairly good solution for what [Haseeb] is doing. He was still locked out of his email, though, and emailing the people running LetterMeLater seemed absurd. Dopamine is fun, though, and [Haseeb] eventually found a workaround. This site indexes the body of an email for search. This is great, because the body of the email this site would send [Haseeb] in 2018 contained his reddit password and only his reddit password. With a little bit of code, he can perform substring queries on an email he can’t read. Now, extracting the password is simply a first year CS homework problem.

At this point, the only thing [Haseeb] knows about his password is that it’s a long string of random characters that probably doesn’t include upper-case characters. That’s 26 possible characters, 10 possible numbers, and a character bank that can be determined by searching his email one character at a time. [Haseeb] is essentially playing Hangman against his former self here.

After figuring out an API for LetterMeLater, [Haseeb] whipped up a quick bit of code that finds the password by searching substrings. It’s beautiful and recursive, although he did break it down into finding a suffix of the password then determining the remainder of the password. It took 443 iterations of the code to find the password, and when that was complete he logged into reddit. Math works, although [Haseeb] will have to figure out a way to wean himself off the opiate of the millennials again.

Shower Thoughts In Your Car

The subreddit for Shower Thoughts offers wisdom ranging from the profound to the mundane. For example: “Every time you cut a corner you make two more.” Apparently, [Harin] has a bit of an addiction to the subreddit. He’s been sniffing the CAN bus on his 2012 Hyundai Genesis and decided to display the top Shower Thought on his radio screen.

To manage the feat he used both a Raspberry Pi and an Arduino. Both devices had a MCP2515 to interface with two different CAN busses (one for the LCD display and the other for control messages which carries a lot of traffic.

The code is available on GitHub. There’s still work to do to make the message scroll, for example. [Harin] has other posts about sniffing the bus, like this one.

We’ve covered CAN bus quite a bit, including some non-automotive uses. We’ve even seen the CAN bus for model railroading.

Picture Frame Mashup Taps Subreddits For “Deep Thoughts”

Remember “Deep Thoughts by Jack Handey”? We do, and we always enjoyed the quirky mix of soothing music, soft-focus nature images, and random absurd thought scrolling across the screen as bumpers between segments on Saturday Night Live. Clearly, [tvm78] remembers them, because his picture frame mashups of the r/EarthPorn and r/ShowerThoughts subreddits could have been written by Jack himself.

While [tvm78] shares no photos of his build and offers no tutorials, he makes it clear that this was his first build of any kind. He does offer a few details, like the fact that he’s driving a display with a Raspberry Pi, and he handily references a similar build that includes the code he borrowed to make his frame happen. While we feel that the original mashup works well, several helpful redditors offer suggestions for other combinations, like r/ArchitecturePorn and /r/nocontext, or r/abandonedporn and r/onelinehorror. Of course a straight grab from r/demotivational could be fun too.

We’ve seen tons of web-enabled picture frames before, and plenty of “magic mirror” builds that display useful information on a two-way mirror. But this one appeals to the cynic in us, and would make Jack Handey proud.