This Week In Security: Broken Shims, LassPass, And Toothbrushes?

Linux has a shim problem. Which naturally leads to a reasonable question: What’s a shim, and why do we need it? The answer: Making Linux work wit Secure Boot, and an unintended quirk of the GPLv3.

Secure Boot is the verification scheme in modern machines that guarantees that only a trusted OS can boot. When Secure Boot was first introduced, many Linux fans suggested it was little more than an attempt to keep Linux distros off of consumer’s machines. That fear seems to have been unwarranted, as Microsoft has dutifully kept the Linux Shim signed, so we can all run Linux distros on our Secure Boot machines.

So the shim. It’s essentially a first-stage bootloader, that can boot a signed GRUB2 or other target. You might ask, why can’t we just ask Microsoft to sign GRUB2 directly? And that’s where the GPLv3 comes in. That license has an “anti-tivoization” section, which specifies “Installation Information” as part of what must be provided as part of GPLv3 compliance. And Microsoft’s legal team understands that requirement to apply to even this signing process. And it would totally defeat the point of Secure Boot to release the keys, so no GPLv3 code gets signed. Instead, we get the shim.

Now that we understand the shim, let’s cover how it’s broken. The most serious vulnerability is a buffer overflow in the HTTP file transfer code. The buffer is allocated based on the size in the HTTP header, but a malicious HTTP server can set that value incorrectly, and the shim code would happily write the real HTTP contents past the end of that buffer, leading to arbitrary code execution. You might ask, why in the world does the shim have HTTP code in it at all? The simple answer is to support UEFI HTTP Boot, a replacement for PXE boot.

The good news is that this vulnerability can only be triggered when using HTTP boot, and only by connecting to a malicious server or via a man-in-the-middle attack. With this in mind, it’s odd that this vulnerability is rated a 9.8. Specifically, it seems incorrect that this bug is rated low complexity, or a general network attack vector. In Red Hat’s own write-up of the vulnerability, they argue that the exploitation is high complexity, and is only possible from an adjacent network. There were a handful of lesser vulnerabilities found, and these were all fixed with shim 15.8. Continue reading “This Week In Security: Broken Shims, LassPass, And Toothbrushes?”

It’s A Sander! No, It’s A Toothbrush! Relax, Relax, It’s Both

We always enjoy a project that transforms some common object into something useful for us. [Modelkitsdeluxe] fits the bill by modifying a power toothbrush into a miniature sander. If you want to practice your Spanish, you can watch the video below. Or you can try the automatically translated captions.

As you can guess from the user name, he is mainly interested in working with small models, but it struck us that this might also be useful for general 3D printing. Honestly, once you have the idea, there isn’t much to it. You mutilate a brush head that fits the toothbrush to accept a small sanding disk.

There are probably a dozen ways to attach your sandpaper or emery cloth to the head. [Modelkitdeluxe] used double-sided tape and Velcro. While we applaud the upcycling, we’ll probably stick with a hobby tool. Our toothbrush makes an annoying buzz every 30 seconds or so to remind you to move to another part of your mouth. That doesn’t seem like a great feature when doing precision sanding. On the other hand, you could probably yank the controller out of the toothbrush and use it for the motor, drive, and batteries to avoid that.

If you want to tackle that, here’s something to get you started. If sanding doesn’t turn your crank, maybe you can try turning your deadbolt.

Continue reading “It’s A Sander! No, It’s A Toothbrush! Relax, Relax, It’s Both”

Sniffing Passwords, Rickrolling Toothbrushes

If you could dump the flash from your smart toothbrush and reverse engineer it, enabling you to play whatever you wanted on the vibrating motor, what would you do? Of course there’s no question: you’d never give up, or let down. Or at least that’s what [Aaron Christophel] did. (Videos, embedded below.)

But that’s just the victory lap. The race began with previous work by [Cyrill Künzi], who figured out that the NFC chip inside was used for a run-time counter, and managed to reset it by sniffing the password with an SDR as it was being transmitted. A great hack to be sure, but it only works for people with their own SDR setup.

With the goal of popularizing toothbrush-head-NFC-hacking, [Aaron] busted open the toothbrush itself, found the debug pins, dumped the flash, and got to reverse engineering. A pass through Ghidra got him to where the toothbrush reads the NFC tag ID from the toothbrush head. But how does it get from the ID to the password? It turns out that it runs a CRC on a device UID from the NFC tag itself and also a manufacturer’s string found in the NFC memory, and scramble-combines the two CRC values.

Sounds complicated, but the NFC UID can be read with a cellphone app, and the manufacturer’s string is also printed right on the toothbrush head itself for your convenience. Armed with these two numbers, you can calculate the password, and convince your toothbrush head that it’s brand new, all from the comfort of your smartphone! Isn’t technology grand?

We’re left guessing a little bit about the Rickroll hack, but we’d guess that once [Aaron] had the debug pins on the toothbrush’s microcontroller, he just couldn’t resist writing and flashing in a custom firmware. Talk about dedication.

[Aaron] has been doing extensive work on e-paper displays, but his recent work on the Sumup payment terminal is a sweet look at hacking into higher security devices with acupuncture needles.

Continue reading “Sniffing Passwords, Rickrolling Toothbrushes”

Toothbrush Speed Controller Secrets Revealed

Typically, when we want to build something with a DC motor, we might grab a bunch of AAs, or a single lithium cell at the very least. Electric toothbrushes often run on more humble power sources, like a single NiMH battery. They’re designed to get useful motion out of just 1.2V, and [Marian Hryntsiv] has taken a look at what makes them tick.

The article focuses on an electric toothbrush built around the Low Voltage GreenPAK™ SLG47513 chip. It’s designed to work at voltages from just 1 to 1.65 V. To make the most of the limited power available, the toothbrush stays in sleep mode most of the time when it’s not working in oral health.

[Marian] steps through the various parts of the circuit, and also explains the unique functionality baked into the brush. Of particular interest are the timer routines that guide the user through brushing each section of the mouth in turn, before a notification that tells them that 2 minutes of brushing time has elapsed. There’s also a useful explanation of the inductive charging method used.

Electric toothbrushes may be mundane home items today, but they’re an example of a product that has largely already been optimized to the nth degree. Until laser-based plaque removal or enamel regeneration technology gets off the ground, this is as good as it gets. We can dream, though!

 

Making A Toothbrush From Scratch, Right Down To The Bristles

Most of us probably get by with a toothbrush costing a couple dollars at most, made of injection-moulded plastic for delicate, tender mouths. Maybe if you’re a real cleantooth, you have a fancy buzzy electric one. We’d wager few are machining their own bespoke toothbrushes from scratch, but if you want some inspiration, [W&M Levsha] is doing just that.

Much of the work will be familiar to die hard machining enthusiasts. There’s careful crafting of the wood handle, involving a stackup of multiple stained and varnished woods – in this case, hornbeam being the paler of the two, and amaranth providing that rich red color. The stem is a stylish stainless steel piece, elegantly bent to a tasteful curve. Finally, the assembly of the brush head alone is worth the watch. It’s custom made – with a steel backing plate and fishing wire bristles custom cut with an automated jig using stepper motors.  We’re suspect fishing wire is not rated for dental use, but the nylon strands are at least in the ballpark of what regular toothbrushes use.

While we probably wouldn’t slide this one betwixt our lips without consulting a dental professional first, it’s a great video for learning about what it takes to make beautiful bespoke objects in the workshop. We’ve seen elegant work from [W&M Levsha] before, too – in the form of a delightfully eclectic cap gun lighter. Video after the break.

Continue reading “Making A Toothbrush From Scratch, Right Down To The Bristles”

[Joe Grand’s] Toothbrush Plays Music That Doesn’t Suck

It’s not too exciting that [Joe Grand] has a toothbrush that plays music inside your head. That’s actually a trick that the manufacturer pulled off. It’s that [Joe] gave his toothbrush an SD card slot for music that doesn’t suck.

The victim donor hardware for this project is a toothbrush meant for kids called Tooth Tunes. They’ve been around for years, but unless you’re a kid (or a parent of one) you’ve never heard of them. That’s because they generally play the saccharine sounds of Hannah Montana and the Jonas Brothers which make adults choose cavities over dental health. However, we’re inclined to brush the enamel right off of our teeth if we can listen to The Amp Hour, Embedded FM, or the Spark Gap while doing so. Yes, we’re advocating for a bone-conducting, podcasting toothbrush.

[Joe’s] hack starts by cracking open the neck of the brush to cut the wires going to a transducer behind the brushes (his first attempt is ugly but the final process is clean and minimal). This allows him to pull out the guts from the sealed battery compartment in the handle. In true [Grand] fashion he rolled a replacement PCB that fits in the original footprint, adding an SD card and replacing the original microcontroller with an ATtiny85. He goes the extra mile of making this hack a polished work by also designing in an On/Off controller (MAX16054) which delivers the tiny standby current needed to prevent the batteries from going flat in the medicine cabinet.

Check out his video showcasing the hack below. You don’t get an audio demo because you have to press the thing against the bones in your skull to hear it. The OEM meant for this to press against your teeth, but now we want to play with them for our own hacks. Baseball cap headphones via bone conduction? Maybe.

Update: [Joe] wrote in to tell us he published a demonstration of the audio. It uses a metal box as a sounding chamber in place of the bones in our head.

Continue reading “[Joe Grand’s] Toothbrush Plays Music That Doesn’t Suck”

Build A Light Following Bristlebot As A Way To Teach Science

light-following-bristlebot

[Ben Finio] designed this project as a way to get kids interested in learning about science and engineering. Is it bad that we just want to build one of our own? It’s a light following bristlebot which in itself is quite simple to build and understand. We think the platform has a lot of potential for leading to other things, like learning about microcontrollers and wireless modules to give it wireless control.

Right now it’s basically two bristlebots combined into one package. The screen capture seen above makes it hard to pick out the two toothbrush heads on either side of a battery pack. The chassis of the build is a blue mini-breadboard. The circuit that makes it follow light is the definition of simple. [Ben] uses two MOSFETs to control two vibration motors mounted on the rear corners of the chassis. The gate of each MOSFET is driven by a voltage divider which includes a photoresistor. When light on one is brighter than the other it causes the bot to turn towards to the brighter sensor. When viewing the project log above make sure to click on the tabs to see all of the available info.

This directional control seems quite good. We’ve also seen other versions which shift the weight of the bot to change direction.

Continue reading “Build A Light Following Bristlebot As A Way To Teach Science”