Hackaday Links: February 15, 2026

February 15, 2026 by Tom Nardi 19 Comments

It probably won’t come as much of a surprise to find that most of the Hackaday staff aren’t exactly what you’d call sports fanatics, so we won’t judge if you didn’t tune in for the Super Bowl last week. But if you did, perhaps you noticed Ring’s Orwellian “Search Party” spot — the company was hoping to get customers excited about a new feature that allows them to upload a picture of their missing pet and have Ring cameras all over the neighborhood search for a visual match. Unfortunately for Ring, the response on social media wasn’t quite what they expected.

One commenter on YouTube summed it up nicely: “This is like the commercial they show at the beginning of a dystopian sci-fi film to quickly show people how bad things have gotten.” You don’t have to be some privacy expert to see how this sort of mass surveillance is a slippery slope. Many were left wondering just who or what the new system would be searching for when it wasn’t busy sniffing out lost pups.

The folks at Wyze were quick to capitalize on the misstep, releasing their own parody ad a few days later that showed various three-letter agencies leaving rave reviews for the new feature. By Thursday, Ring announced they would be canceling a planned expansion that would have given the divisive Flock Safety access to their network of cameras. We’re sure it was just a coincidence.

Speaking of three-letter agencies, the Environmental Protection Agency has announced this week that they will no longer incentivize the inclusion of stop-start systems on new automobiles. The feature, which shuts off the engine when the vehicle comes to a stop, was never actually required by federal law; rather, the EPA previously awarded credits to automakers that added the feature, which would help them meet overall emission standards. Manufacturers are free to continue offering stop-start systems on their cars if they wish, but without the EPA credits, there’s little benefit in doing so. Especially since, as Car and Driver notes, it seems like most manufacturers are happy to be rid of it. The feature has long been controversial with drivers as well, to the point that we’ve seen DIY methods to shut it off.

Continue reading “Hackaday Links: February 15, 2026” →

Hackaday Links: September 22, 2024

September 22, 2024 by Dan Maloney 13 Comments

Thanks a lot, Elon. Or maybe not, depending on how this report that China used Starlink signals to detect low-observable targets pans out. There aren’t a lot of details, and we couldn’t find anything approximating a primary source, but it seems like the idea is based on forward scatter, which is when waves striking an object are deflected only a little bit. The test setup for this experiment was a ground-based receiver listening to the downlink signal from a Starlink satellite while a DJI Phantom 4 Pro drone was flown into the signal path. The drone was chosen because nobody had a spare F-22 or F-35 lying around, and its radar cross-section is about that of one of these stealth fighters. They claim that this passive detection method was able to make out details about the drone, but as with most reporting these days, this needs to be taken with an ample pinch of salt. Still, it’s an interesting development that may change things up in the stealth superiority field.

Continue reading “Hackaday Links: September 22, 2024” →

Hackaday Links: February 25, 2024

February 25, 2024 by Dan Maloney 15 Comments

When all else fails, blame it on the cloud? It seems like that’s the script for just about every outage that makes the news lately, like the Wyze camera outage this week that kept people from seeing feeds from their cameras for several hours. The outage went so far that some users’ cameras weren’t even showing up in the Wyze app, and there were even reports that some people were seeing thumbnails for cameras they don’t own. That’s troubling, of course, and Wyze seems to have taken action on that quickly by disabling a tab on the app that would potentially have let people tap into camera feeds they had no business seeing. Still, it looks like curiosity got the better of some users, with 1,500 tapping through when notified of motion events and seeing other people walking around inside unknown houses. The problem was resolved quickly, with blame laid on an “AWS partner” even though there were no known AWS issues at the time of the outage. We’ve said it before and we’ll say it again: security cameras, especially mission-critical ones, have no business being connected with anything but Ethernet or coax, and exposing them to the cloud is a really, really bad idea.

Continue reading “Hackaday Links: February 25, 2024” →

This Week In Security: Wyze, ScreenConnect, And Untrustworthy Job Postings

February 23, 2024 by Jonathan Bennett 7 Comments

For a smart home company with an emphasis on cloud-connected cameras, what could possibly be worse than accidentally showing active cameras to the wrong users? Doing it again, to far more users, less than 6 months after the previous incident.

The setup for this breach was an AWS problem, that caused a Wyze system outage last Friday morning. As the system was restored, the load spiked and a caching library took the brunt of the unintentional DDoS. This library apparently has a fail state of serving images and videos to the wrong users. An official report from Wyze mentions that this library had been recently added, and that the number of thumbnails shown to unauthorized users was around 13,000. Eek. There’s a reason we recommend picking one of the Open Source NVR systems here at Hackaday.

ScreenConnect Exploit in the Wild

A pair of vulnerabilities in ConnectWise ScreenConnect were announced this week, Proof of Concepts were released, and are already being used in active exploitation. The vulnerabilities are a CVSS 10.0 authentication bypass and a CVSS 8.4 path traversal bypass.

Huntress has a guide out, detailing how embarrassingly easy the vulnerabilities are to exploit. The authentication bypass is a result of a .Net quirk, that adding an additional directory on the end of a .aspx URL doesn’t actually change the destination, but is captured as PathInfo. This allows a bypass of the protections against re-running the initial setup wizard: hostname/SetupWizard.aspx/literallyanything

The second vulnerability triggers during extension unpack, as the unzipping process doesn’t prevent path traversal. The most interesting part is that the unzip happens before the extension installation finishes. So an attacker can compromise the box, cancel the install, and leave very little trace of exploitation. Continue reading “This Week In Security: Wyze, ScreenConnect, And Untrustworthy Job Postings” →