It’s 5 pm, the sun is slowly setting on the Leipzig conference center, and although we’re only halfway through the first day, there’s a ton that you should see. We’ll report some more on the culture of the con later — for now here’s just the hacks.
Electric Car Charging Stations: Spoofing and Reflashing
Electric autos are the future, right? Well, for now we need to figure out how to charge them. All across Germany, charging stations are popping up like dandelions. How do they work? Are they secure? [Mathias Dalheimer] bought a couple loading stations, built himself a car simulator, spoofed some NFC cards, and found that the whole thing was full of holes. The talk is in German, and doesn’t yet have subtitles, but the takeaways are that it’s trivial to offload charges to other people by cloning their NFC cards. Worse, the loading stations are Internet accessible, and of course remotely-controllable. With physical access, and a screwdriver, the entire station can be reflashed and then the game’s up. [Mathias] ended his talk with a call for community involvement in shaping the next generation of loading-station protocols and software, because after all, this is infrastructure that we’d all like to use in the future.
Open-Source Silicon: Verifying the RISC-V Spec
If we were to pick one of the largest developments in the open-source hardware industry this year, we’d call 2017 the year of open silicon. In particular the open RISC-V processor came out in hardware that you can play around with now. In ten years, when we’re all running open-silicon “Arduinos”, remember this time. And if you haven’t been watching [Clifford Wolf], you might have missed that he wrote a 3D modelling software called openSCAD or a free FPGA toolchain, project Icestorm.
Anyway, [Clifford] has turned his attention to the RISC-V architecture. He’s been working on formally verifying that a hardware design meets the RISC-V specification. In contrast to simulation, where you run the hardware from a bunch of starting values, and see if it ends up in an undesired state, formal verification proves that the hardware design doesn’t do the wrong things, at least for a certain number of cycles after startup.
All of this is nice, but it’s not worth doing unless it’s finding bugs. And he’s found bugs in nearly every RISC-V implementation, and also in the actual English-language specification as well. A free and open formal verification suite for an open processor specification eases the way for all future developers. This may seem abstruse at the moment, but it’s paving the way for a revolution.
Robotic Vacuum Cleaners: Rooting the Xiaomi Blinds the Cloud
The Xiaomi robotic vacuum cleaner would certainly make a great platform for hacker explorations: it has a LIDAR, batteries, decent motors, electronic compass, ultrasonic “radar”, and much more. [Dennis Giese] and [Daniel AW] got root on the device, opening it up completely. Watch the preliminary version of the talk here. They dumped the MMC flash by shorting pins to ground with a piece of aluminum foil, and then fooled the update procedure into accepting their own image, and the game was over. They then went on to work around all of Xiaomi’s cloud services, allowing entirely self-contained operation if you’d like.
Interestingly enough, [Dennis] and [Daniel] found a reference to a
tcpdump command that would eavesdrop on all network traffic inside your WLAN. It didn’t seem to be running, because there were no pcap files to be found. It could be a left-over from development, or it could be something more sinister. Xiaomi has just been featured on Hackaday for their nightlight that sends ridiculous amounts of data home. In this light (tee-hee) it’s not entirely surprising to find that their vacuum is doing the same thing — draw your own conclusions.
The Intel Management Engine, Again
One of the bigger vulnerabilities disclosed this year was the crack of the Intel Management Engine. It’s a hidden computer inside your computer, which doubles as the root of trust for basically everything else. If it could be compromised, it would be the end. It has always been shrouded in secrecy, and that’s made everyone nervous. [Maxim Goryachy], [Mark Ermolov], and [Dmitry Sklyarov] managed to attack it via a JTAG port. If you want to get into the hack in detail, this talk is for you. This hack was a very big chink in the armor of obscurity surrounding the IME. It will be interesting to see what next year brings.
What’s One Bit Between Friends?
In this technical yet accessible talk, [Filippo Valsorda] walks us through a bug he found in an encryption algorithm deep inside a Go library, and how he used a one-bit error that occurs around one time in a billion to extract the entire 256-bit secure key. The video is here. By carefully crafting a public key, he can use the extremely infrequent error to sequentially unravel the entire secret. The particular bug that he found is fixed, of course, but the method of deploying tons of computing power to ferret out keys just shows how far you can push even the tiniest oracle. This talk demonstrates very explicitly that even the smallest bug is too big.
Networks Before the Internet: BBS Memory Lane
[LaForge] is an open-source radio hacker. If you’ve done any SDR work, you may have used drivers from his Osmocom project. But like the rest of us, he was a young nerdling once. And when he was young, the BBS scene was the big deal. In this non-technical talk, he takes a trip down memory lane and looks at the tech that underlies the BBS era.
If you’re wondering where we’re going to be tonight, check out the schedule and watch live streams. In particular, there’s a talk on the state of computing in North Korea, tweaking FitBits, cracking WPA2, and a talk that promises to be the “Ultimate Apollo Guidance Computer Talk”. And then we’ll take a nap, and do it all again tomorrow.