Tricking A Smart Meter Into Working On The Bench

When the widget you’re working on is powered by a battery or a USB charger, running it on the bench is probably pretty safe. But when the object of your reverse-engineering desire is a residential electrical meter, things can get a little dicey.

Not that this elevated danger level has kept [Hash] from exploring the mysteries presented by smart meters. Still, with a desire to make things a little safer, he came up with a neat trick for safely powering electrical meters on the bench. [Hash] found that the internal switch-mode power supply on the meter backplane was easy enough to back-feed with a 12-volt bench supply, rather than supplying the meter with the full 240-volt AC supply it normally gets when plugged into a meter base (these are meters for the North American market, where split-phase 240-volt is the norm for residential connections.) But that wasn’t enough for the meter — it powered up, but stayed in a reset state without fully booting. Something more was needed to bring the meter fully to life.

That something proved to be a small AC signal. Normally, a resistor network divides the 240-volt supply down to about 3 volts, which is used by the sensing circuit in the meter. [Hash] found that injecting a 60-Hz, 600-mV sine wave signal with about a 3-volt DC bias into the sensing circuit was enough to spoof the meter into thinking it’s plugged into the meter base. The video below has a walkthrough of the hack, and some nice shots of the insides of the meters he’s been working with.

[Hash] has been working with these meters for a while now, and some of the stuff he’s learned is pure gold. Be sure to check out his 2021 Remoticon talk on meter hacking for all the fascinating details.

Continue reading “Tricking A Smart Meter Into Working On The Bench”

HackRF PortaPack Firmware Spoofs All The Things

The HackRF is an exceptionally capable software defined radio (SDR) transceiver, but naturally you need to connect it to a computer to actually do anything with it. So the PortaPack was developed to turn it into a stand-alone device with the addition of a touchscreen LCD, a few buttons, and a headphone jack. With all the hardware in place, it’s just a matter of installing a firmware capable enough to do some proper RF hacking on the go.

Enter MAYHEM, an evolved fork of the original PortaPack firmware that the developers claim is the most up-to-date and feature packed version available. Without ever plugging into a computer, this firmware allows you to receive, decode, and re-transmit a dizzying number of wireless protocols. From firing off the seating pagers at a local restaurant to creating a fleet of phantom aircraft with spoofed ADS-B transponders, MAYHEM certainly seems like it lives up to the name.

[A. Petazzoni] recently put together a detailed blog post about installing and using MAYHEM on the HackRF/PortaPack, complete with a number of real-world examples that show off just a handful of possible applications for the project. Jamming cell phones, sending fake pager messages, and cloning RF remotes is just scratching the surface of what’s possible.

It’s not hard to see why some have already expressed concern about the project, but in reality, none of these capabilities are actually new. This firmware simply brings them all together in one easy-to-use package, and while there might be an argument to be made about proliferation, we all know that the responsibility to behave ethically rests on the user and not the tools.

Hackaday Links Column Banner

Hackaday Links: December 29, 2019

The retrocomputing crowd will go to great lengths to recreate the computers of yesteryear, and no matter which species of computer is being restored, getting it just right is a badge of honor in the community. The case and keyboard obviously playing a big part in that look, so when a crowdfunding campaign to create new keycaps for the C64 was announced, Commodore fans jumped to fund it. Sadly, more than four years later, the promised keycaps haven’t been delivered. One disappointed backer, Jim Drew, decided he was sick of waiting, so he delved into the world of keycaps injection molding and started his own competing campaign. Jim details his adventures in his Kickstarter Indiegogo campaign, which makes for good reading even if you’re not into Commodore refurbishment. Here’s hoping Jim has better luck than the competition did.

Looking for anonymity in our increasingly surveilled world? You’re not alone, and in fact, we predict facial recognition spoofing products and methods will be a growth industry in the new decade. Aside from the obvious – and often illegal – approach of wearing a mask that blocks most of the features machine learning algorithms use to quantify your face, one now has another option, in the form of a colorful pattern that makes you invisible to the YOLOv2 algorithm. The pattern, which looks like a soft-focus crowd scene rendered in Mardi Gras colors, won’t make the algorithm think you’re someone else, but it will prevent you from being classified as a person. It won’t work with any other AI algorithm, but it’s still an interesting phenomenon.

We saw a great hack come this week about using an RTL-SDR to track down a water leak. Clayton’s water bill suddenly skyrocketed, and he wanted to track down the source. Luckily, his water meter uses the encoder receive-transmit (ERT) protocol on the 900 MHz ISM band to report his usage, so he threw an SDR dongle and rtlamr at the problem. After logging his data, massaging it a bit with some Python code, and graphing water consumption over time, he found that water was being used even when nobody was home. That helped him find the culprit – leaky flap valves in the toilets resulting in a slow drip that ran up the bill. There were probably other ways to attack the problem, but we like this approach just fine.

Are your flex PCBs making you cry? Friend of Hackaday Drew Fustini sent us a tip on teardrop pads to reduce the mechanical stress on traces when the board flexes. The trouble is that KiCad can’t natively create teardrop pads. Thankfully an action plugin makes teardrops a snap. Drew goes into a bit of detail on how the plugin works and shows the results of some test PCBs he made with them. It’s a nice trick to keep in mind for your flexible design work.

Impersonate The President With Consumer-Grade SDR

In April of 2018, the Federal Emergency Management Agency sent out the very first “Presidential Alert”, a new class of emergency notification that could be pushed out in addition to the weather and missing child messages that most users were already familiar with. But while those other messages are localized in nature, Presidential Alerts are intended as a way for the Government to reach essentially every mobile phone in the country. But what if the next Presidential Alert that pops up on your phone was actually sent from somebody with a Software Defined Radio?

According to research recently released by a team from the University of Colorado Boulder, it’s not as far-fetched a scenario as you might think. In fact, given what they found about how the Commercial Mobile Alert Service (CMAS) works, there might not be a whole lot we can even do to prevent it. The system was designed to push out these messages in the most expedient and reliable way possible, which meant that niceties like authentication had to take a backseat.

The thirteen page report, which was presented at MobiSys 2019 in Seoul, details their findings on CMAS as well as their successful efforts to send spoofed Presidential Alerts to phones of various makes and models. The team used a BladeRF 2.0 and USRP B210 to perform their mock attacks, and even a commercially available LTE femtocell with modified software. Everything was performed within a Faraday cage to prevent fake messages from reaching the outside world.

So how does the attack work? To make a long story short, the team found that phones will accept CMAS messages even if they are not currently authenticated with a cell tower. So the first phase of the attack is to spoof a cell tower that provides a stronger signal than the real ones in the area; not very difficult in an enclosed space. When the phone sees the stronger “tower” it will attempt, but ultimately fail, to authenticate with it. After a few retries, it will give up and switch to a valid tower.

This negotiation takes around 45 seconds to complete, which gives the attacker a window of opportunity to send the fake alerts. The team says one CMAS message can be sent every 160 milliseconds, so there’s plenty of time to flood the victim’s phone with hundreds of unblockable phony messages.

The attack is possible because the system was intentionally designed to maximize the likelihood that users would receive the message. Rather than risk users missing a Presidential Alert because their phones were negotiating between different towers at the time, the decision was made to just push them through regardless. The paper concludes that one of the best ways to mitigate this attack would be to implement some kind of digital signature check in the phone’s operating system before the message gets displayed to the user. The phone might not be able to refuse the message itself, but it can at least ascertain it’s authentic before showing it to the user.

All of the team’s findings have been passed on to the appropriate Government agencies and manufacturers, but it will likely be some time before we find out what (if any) changes come from this research. Considering the cost of equipment that can spoof cell networks has dropped like a rock over the last few years, we’re hoping all the players can agree on a software fix before we start drowning in Presidential Spam.

Jeremy Hong: Weaponizing The Radio Spectrum

Jeremy Hong knows a secret or two about things you shouldn’t do with radio frequency (RF), but he’s not sharing.

That seems an odd foundation upon which to build one’s 2018 Hackaday Superconference talk, but it’s for good reason. Jeremy knows how to do things like build GPS and radar jammers, which are federal crimes. Even he hasn’t put his knowledge to practical use, having built only devices that never actually emitted any RF.

So what does one talk about when circumspection is the order of the day? As it turns out, quite a lot. Jeremy focused on how the military leverages the power of radio frequency jamming to turn the tables on enemies, and how civilian police forces are fielding electronic countermeasures as well. It’s interesting stuff, and Jeremy proved to be an engaging guide on a whirlwind tour into the world of electronic warfare.
Continue reading “Jeremy Hong: Weaponizing The Radio Spectrum”

Fooling Samsung Galaxy S8 Iris Recognition

We have a love-hate relationship with biometric ID. After all, it looks so cool when the hero in a sci-fi movie enters the restricted-access area after having his hand and iris scanned. But that’s about the best you can say about biometric security. It’s conceptually flawed in a bunch of ways, and nearly every implementation we’ve seen gets broken sooner or later.

Case in point: prolific anti-biometry hacker [starbug] and a group of friends at the Berlin CCC are able to authenticate to the “Samsung Pay” payment system through the iris scanner. The video, embedded below, shows you how: take a picture of the target’s eye, print it out, and hold it up to the phone. That was hard!

Sarcasm aside, the iris sensor uses IR to recognize patterns in your eye, so [starbug] and Co. had to use a camera with night vision mode.  A contact lens placed over the photo completes the illusion — we’re guessing it gets the reflections from room lighting right.  No etching fingerprint patterns into copper, no conductive gel — just a printout and a contact lens.

Continue reading “Fooling Samsung Galaxy S8 Iris Recognition”

Fail Of The Week: Pinewood Derby Cheat Fails Two Ways

Would you use your tech prowess to cheat at the Pinewood Derby? When your kid brings home that minimalist kit and expects you to help engineer a car that can beat all the others in the gravity-powered race, the temptation is there. But luckily, there are some events that don’t include the kiddies and the need for parents to assume the proper moral posture. When the whole point of the Pinewood Derby is to cheat, then you pull out all the stops, and you might try building an electrodynamic suspension hoverboard car.

Fortunately for [ch00ftech], the team-building Derby sponsored by his employer is a little looser with the rules than the usual event. Loose enough perhaps to try a magnetically levitating car. The aluminum track provided a perfect surface to leverage Lenz’s Law. [ch00ftech] tried different arrangements of coils and drivers in an attempt to at least reduce the friction between car and track, if not outright levitate it. Sadly, time ran out and physics had others ideas, so [ch00ftech], intent on cheating by any means, tried spoofing the track timing system with a ridiculous front bumper of IR LEDs. But even that didn’t work in the end, and poor [ch00f]’s car wound up in sixth place.

So what could [ch00ftech] had done better? Was he on the right course with levitation? Or was spoofing the sensors likely to have worked with better optics? Or should he have resorted to jet propulsion or a propeller drive? How would you cheat at the Pinewood Derby?


2013-09-05-Hackaday-Fail-tips-tileFail of the Week is a Hackaday column which celebrates failure as a learning tool. Help keep the fun rolling by writing about your own failures and sending us a link to the story — or sending in links to fail write ups you find in your Internet travels.