What do potato chips and lost car keys have in common? On the surface, it would seem not much, unless you somehow managed to lose your keys in a bag of chips, which would be embarrassing enough that you’d likely never speak of it. But there is a surprising link between the two, and Samy Kamkar makes the association in his newly published 2019 Superconference talk, which he called “FPGA Glitching and Side-Channel Attacks.”
Careful, the walls have ears. Or more specifically, the smart speaker on the table has ears, as does the phone in your pocket, the fitness band on your wrist, possibly the TV, the fridge, the toaster, and maybe even the toilet. Oh, and your car is listening to you too. Probably.
How does one fight this profusion of listening devices? Perhaps this wearable smart device audio jammer will do the trick. The idea is that the MEMS microphones that surround us are all vulnerable to jamming by ultrasonic waves, due to the fact that they have a non-linear response to ultrasonic signals. The upshot of that is when a MEMS hears ultrasound, it creates a broadband signal in the audible part of the spectrum. That creates a staticky noise that effectively drowns out any other sounds the microphone might be picking up.
By why a wearable? Granted, [Yuxin Chin] and colleagues from the University of Chicago have perhaps stretched the definition of that term a tad with their prototype, but it turns out that moving the jammer around does a better job of blocking sounds than a static jammer does. The bracelet jammer is studded with ultrasonic transducers that emit overlapping fields and result in zones of constructive and destructive interference; the wearer’s movements vary the location of the dead spots that result, improving jamming efficacy. Their paper (PDF link) goes into deeper detail, and a GitHub repository has everything you need to roll your own.
We saw something a bit like this before, but that build used white noise for masking, and was affixed to the smart speaker. We’re intrigued by a wearable, especially since they’ve shown it to be effective under clothing. And the effect of ultrasound on MEMS microphones is really interesting.
The most important rule of password use, especially when used for online logins, is to avoid reusing passwords. From there, one’s method of keeping track of multiple passwords can vary considerably. While memorization is an option in theory, in practice a lot of people make use of a password manager like Lastpass or KeePass. For those with increased security concerns, though, you may want to implement a USB password keeper like this one based on an ATtiny.
This password keeper, called “snopf”, is a USB device with an ATtiny85 which adds a layer of separation to password keeping that increases security substantially. Passwords are created by the USB device itself using a 128-bit key to generate the passwords, which are physically detached from the computer. Password requests are made by the computer to the USB device, but the user must push a button on the snopf in order to send the password to the computer. It does this by emulating a keyboard, keeping the password information off of the computer’s clipboard.
Of course, snopf isn’t perfectly secure, and the project’s creator [Hajo] goes into detail on the project’s page about some of the potential vulnerabilities. For most use cases, though, none of these are of serious concern. Upgrading your password keeper to a physical device is likely to be a huge security improvement regardless, and one was actually developed on Hackaday a few years ago.
Is it just me or did January seem to last for about three months this year? A lot has happened since the turn of the decade 31 days ago, both in the normie world and in our space. But one of the biggest pieces of news in the hacker community is something that won’t even happen for four more months: Hackaday Belgrade. The annual conference in Hackaday’s home-away-from-home in Serbia was announced, and as usual, one had to be a very early bird to score discount tickets. Regular tickets are still on sale, but I suspect that won’t last long. The call for proposals for talks went out earlier in the month, and you should really consider standing up and telling the world what you know. Or tell them what you don’t know and want to find out – there’s no better way to make connections in this community, and no better place to do it.
Someone dropped a tip this week about the possible closing of Tanner Electronics, the venerable surplus dealer located in Carrollton, Texas, outside of Dallas and right around the corner from Dallas Makerspace. The report from someone visiting the store is that the owner has to either move the store or close it down. I spoke to someone at the store who didn’t identify herself, but she confirmed that they need to either downsize or close. She said they’re actively working with a realtor and are optimistic that they’ll find a space that fits their needs, but the clock is ticking – they only have until May to make the change. We covered Tanner’s in a 2015 article on “The Death of Surplus”. It would be sad to lose yet another surplus store; as much as we appreciate being able to buy anything and everything online, nothing beats the serendipity that can strike walking up and down aisles filled with old stuff. We wish them the best of luck.
Are you finding that the smartphone in your pocket is more soul-crushing than empowering? You’re not alone, and more and more people are trying a “digital detox” to free themselves from the constant stimulation. And there’s no better way to go about this than by turning your smartphone into a not-so-smart phone. Envelope, a paper cocoon for your phone, completely masks the screen, replacing it with a simple printed keypad. A companion app allows you to take and make phone calls or use the camera, plus provides a rudimentary clock, but that’s it. The app keeps track of how long you can go before unwrapping your phone and starting those sweet, sweet dopamine hits again. It reminds us a bit of the story we also saw this week about phone separation anxiety in school kids, and the steps schools are taking to mitigate that problem.
We saw a lot of articles this week on a LoRaWAN security vulnerability. The popular IoT network protocol has been billed as “secure by default”, but a white paper released by cybersecurity firm IOActive found a host of potential attack vectors. Their main beef seems to be that client devices which are physically accessible can be reverse engineered to reveal their encryption keys. They also point out the obvious step of taking the QR code off of client devices so an attacker can’t generate session keys for the device.
And finally, the mummy speaks! If you ever wondered what the voice of someone who lived 3,000 years ago sounded like, wonder no more. Using computed tomography (CT) data, scientists in the UK and Germany have recreated the vocal tract of Nesyamun, an Egyptian scribe and priest from the time of pharaoh Rameses XI. He died in his mid-50s, and his mummified remains have been studied since the 1800s. CT data was used to 3D-print Nesyamun’s larynx and nasopharynx, which was then placed atop a “Vocal Tract Organ”, possibly the strangest musical instrument in existence. The resulting vowel-like utterance is brief, to say the least, but it’s clear and strong, and it’s pretty impressive that we can recreate the voice of someone who lived and died three millennia ago.
Unfortunately not all consumers place high value on the security of their computers, but one group that tends to focus on security are businesses with a dedicated IT group. When buying computers for users, these groups tend to have higher demands, like making sure the Intel Management Engine (IME) has been disabled. To that end, Reddit user [netsec_burn] has outlined a pretty simple method to where “normal people” can purchase one of these IME-disabled devices for themselves.
For those unfamiliar with the IME, it is a coprocessor on all Intel devices since around 2007 that allows access to the memory, hard drive, and network stack even when the computer is powered down. Intel claims it’s a feature, not a bug, but it’s also a source of secret, unaudited code that’s understandably a desirable target for any malicious user trying to gain access to a computer. The method that [netsec_burn] outlined for getting a computer with the IME disabled from the factory is as simple as buying a specific Dell laptop, intended for enterprise users, and selecting the option to disable the IME.
Of course Dell warns you that you may lose some system functionality if you purchase a computer with the IME disabled, but it seems that this won’t really effect users who aren’t involved in system administration. Also note that this doesn’t remove the management engine from the computer. For that, you’ll need one of only a handful of computers made before Intel made complete removal of the IME impossible. In the meantime, it’s good to see that at least one company has a computer available that allows for it to be disabled from the factory.
If you need to make sure your computer isn’t being messed with, you’ll have a look at the log files. If something seems fishy, that’s grounds for further investigation. If you run a large network of computers, you’ll probably want to look over all of the logs, but you won’t want to run around to each computer individually. Setting up a central server to analyze the logs exposes an additional attack surface: the logs in transit. How do you make sure that the attackers aren’t also intercepting and sanitizing your log file reports?
The answer to this question, and nearly everything else, is blockchain! Or maybe it’s not, but in this short presentation from the 2019 Hackaday Superconference, Shanni Prutchi, Jeff Wood, and six other college students intend to find out. While Shanni “rolls her eyes” at much of blockchain technology along with the rest of us, you have to admit one thing: recursively hashing your log data to make sure they’re not tampered with doesn’t sound like such a bad idea. Continue reading “Bringing The Blockchain To Network Monitoring”→
In our community it is common for ancient laptops to be used way beyond their usual service life, held together by stickers and lovingly upgraded to their maximum capabilities. We hope it’s unusual for such a venerable machine to be stolen, but it seems that grab-and-run thefts are very much a thing for owners of much shinier hardware. [Michael Altfield] has a solution to this problem, in the form of a kill cord that when broken by the crook making off with the loot, triggers a set of scripts that can wipe the device or otherwise make it useless.
Hardware-wise it’s simple enough, a USB magnetic breakaway adapter and a USB extension cable to a drive clipped to the laptop owner’s belt. On the software side it’s as straightforward as a udev rule to launch the disaster script of your choice. Perhaps you could link it to something like a glitter bomb and fart spray. But we can’t help worrying that it might be too easy to get up and accidentally detach yourself from the laptop, making it deploy whatever anti-theft measure you’d installed in error. If this goes some way to reducing theft though, it has to be worth a second look.
