OBD-II Dongle Attack: Stopping a Moving Car via Bluetooth

Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.

Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.

The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device.  The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

Bosch downplays the issue a bit in their statement:

It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.

Is My Password Safe? Practices for People Who Know Better

A couple of weeks back a report came out where [Tavis Ormandy], a widely known security researcher for Google Project-Zero, showed how it was possible to abuse Lastpass RPC commands and steal user passwords. Irony is… Lastpass is a software designed to keep all your passwords safe and it’s designed in a way that even they can’t access your passwords, the passwords are stored locally using strong cryptography, only you can access them via a master-key. Storing all your passwords in only place has its downfalls. By the way, there is no proof or suggestion that this bug was abused by anyone, so if you use Lastpass don’t worry just yet.

But it got me thinking, how worried and how paranoid should a regular Internet user should be about his password? How many of us have their account details exposed somewhere online? If you’ve been around long enough, odds are you have at least a couple of accounts on some major Internet-based companies. Don’t go rushing into the Dark Web and try to find if your account details are being sold. The easiest way to get your paranoia started is to visit Have I Been Pwned. For those who never heard about it, it’s a website created by [Troy Hunt], a well-known security professional. It keeps track of all known public security breaches he can get his hands on and provides an answer to a simple question: “Was my account in any major data leak?” Let’s take a look.

Continue reading “Is My Password Safe? Practices for People Who Know Better”

Modern DIY FM radio

Back in the day, building a DIY radio was fun! We only had to get our hands at a germanium diode, make some coils, and with a resistor and long wire as an antenna maybe we could get some sound out of those old white earplugs. That was back then. Now we have things like the Si4703 FM tuner chip that can tune in FM radio in the 76–108 MHz range, comes with integrated AGC and AFC, controlled by I2C, as well as a bunch of other acronyms which seem to make the whole DIY radio-building process outdated. The challenges of the past resulted in the proven solutions of the present in which we build upon.

This little project by [Patrick Müller] is a modern radio DIY tutorial. With an Arduino Nano as the brains and controller for an Si4703 breakout board, he builds a completely functional and portable FM radio. A small OLED display lets the user see audio volume, frequency, selected station and still has space left to show the current available battery voltage. It has volume control, radio station seek, and four buttons that allows quick access to memorized stations. The source code shows how it is possible to control the Si4703 FM tuner chip to suit your needs.

As for ICs, not everything is new, [Patrick] still used the good old LM386 amp to drive the speaker, which is almost 35 years old by now. As we can listen in the demo video, it can still output some seriously loud music sounds!

Continue reading “Modern DIY FM radio”

From XP to 10, DoubleAgent pwns all your Windows?

The Cybellum team published a new 0-day technique for injecting code and maintaining persistency on a target computer, baptized DoubleAgent. This technique uses a feature that all Windows versions since XP provide, that allows for an Application Verifier Provider DLL to be installed for any executable. The verifier-provider DLL is just a DLL that is loaded into the process and is supposedly responsible for performing run-time verifications for the application. However, its internal behaviour can be whatever an attacker wants, since he can provide the DLL himself.

Microsoft describes it as:

Application Verifier is a runtime verification tool for unmanaged code. Application Verifier assists developers in quickly finding subtle programming errors that can be extremely difficult to identify with normal application testing. Using Application Verifier in Visual Studio makes it easier to create reliable applications by identifying errors caused by heap corruption, incorrect handle and critical section usage. (…)

The code injection occurs extremely early during the victim’s process initialization, giving the attacker full control over the process and no way for the process to actually detect what’s going on. Once a DLL has been registered as a verifier provider DLL for a process, it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots, updates, reinstalls, or patches.

So it’s all over for Windows right? Well… no. The thing is, to register this DLL, the registered process has to have administrator rights so it can write the proper key to the Windows Registry. Without these permissions, there is no way for this attack to work. You know, the kind of permissions that allow you to install software for all users or format your own hard-drive. So, although this technique has its merit and can present challenges to processes that absolutely must maintain their integrity (such as the Cybellum team points out in the Anti-Virus software case), some other security flaw had to occur first so you can register this sort of ‘debugging DLL’.

If you already have administrator permissions you can do pretty much what you want, including DLL injection to fool anti-virus software. (Though it might be easy just to disable or remove it.)  This new tool has the advantage of being stealthy, but is a 0-day that requires root a 0-day?

[via The Hacker News]

Cloudbleed — Your Credentials Cached in Search Engines

In case you are still wondering about the SHA-1 being broken and if someone is going to be spending hundreds of thousands of dollars to create a fake Certificate Authority and sniff your OkCupid credentials, don’t worry. Why spend so much money when your credentials are being cached by search engines?… Wait, what?

A serious combination of bugs, dubbed Cloudbleed by [Tavis Ormandy], lead to uninitialized memory being present in the response generated by the reverse proxies and leaked to the requester. Since these reverse proxies are shared between Cloudflare clients, this makes the problem even worst, since random data from random clients was leaking. It’s sort of like Heartbleed for HTTP requests. The seriousness of the issue can be fully appreciated in [Tavis] words:

“The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I’ve informed cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

sexAccording to Cloudflare, the leakage can include HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens). An HTTP request to a Cloudflare web site that was vulnerable could reveal information from other unrelated Cloudflare sites.

Adding to this problem, search engines and any other bot that roams free on the Internet, could have randomly downloaded this data. Cloudflare released a detailed incident report explaining all the technicalities of what happened and how they fixed it. It was a very quick incident response with initial mitigation in under 47 minutes. The deployment of the fix was also quite fast. Still, while reading the report, a sense that Cloudflare downplayed this issue remains. According to Cloudflare, the earliest date that this problem could have started is 2016-09-22 and the leak went on until 2017-02-18, five months, give or take.

Just to reassure the readers and not be alarmist, there is no evidence of anyone having exploiting what happened. Before public exposure, Cloudflare worked in proximity with search engines companies to ensure memory was scrubbed from search engine caches from a list of 161 domains they had identified. They also report that Cloudflare has searched the web (!), in sites like Pastebin, for signs of leaks and found none.

On the other hand, it might be very well impossible to know for sure if anyone has a chunk of this data cached away somewhere in the aether. It’s impossible to know. What we would really like to know is: does [Tavis] get the t-shirt or not?

SHAttered — SHA-1 is broken in

A team from Google and CWI Amsterdam just announced it: they produced the first SHA-1 hash collision. The attack required over 9,223,372,036,854,775,808 SHA-1 computations, the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations. While this may seem overwhelming, this is a practical attack if you are, lets say, a state-sponsored attacker. Or if you control a large enough botnet. Or if you are just able to spend some serious money on cloud computing. It’s doable. Make no mistake, this is not a brute-force attack, that would take around 12,000,000 single-GPU years to complete.

SHA-1 is a 160bit standard cryptographic hash function that is used for digital signatures and file integrity verification in a wide range of applications, such as digital certificates, PGP/GPG signatures, software updates, backup systems and so forth. It was, a long time ago, proposed as a safe alternative to MD5, known to be faulty since 1996. In 2004 it was shown that MD5 is not collision-resistant and not suitable for applications like SSL certificates or digital signatures. In 2008, a team of researchers demonstrated how to break SSL based on MD5, using 200 Playstations 3.

Early since 2005 theoretical attacks against SHA-1 were known. In 2015 an attack on full SHA-1 was demonstrated (baptized the SHAppening). While this did not directly translate into a collision on the full SHA-1 hash function due to some technical aspects, it undermined the security claims for SHA-1. With this new attack, dubbed SHAttered, the team demonstrated a practical attack on the SHA-1 algorithm, producing two different PDF files with the same checksum.

The full working code will be released in three months, following Google’s vulnerability disclosure policy, and it will allow anyone to create a pair of PDFs that hash to the same SHA-1 sum given two distinct images and some, not yet specified, pre-conditions.

For now, recommendations are to start using SHA-256 or SHA-3 on your software. Chrome browser already warns if a website has SHA-1 certificate, Firefox and the rest of the browsers will surely follow. Meanwhile, as always, tougher times are ahead for legacy systems and IoT like devices.

From Zero to Nano

Have you ever wanted to build your own Arduino from scratch? [Pratik Makwana] shares the entire process of designing, building and flashing an Arduino Nano clone. This is not an entry-level project and requires some knowledge of soldering to succeed with such small components, but it is highly rewarding to make. Although it’s a cheap build, it’s probably cheaper to just buy a Nano. That’s not the point.

The goal here and the interesting part of the project is that you can follow the entire process of making the board. You can use the knowledge to design your own board, your own variant or even a completely different project.

from-zero-to-nano-thumb[Pratik Makwana] starts by showing how to design the circuit schematic diagram in an EDA tool (Eagle) and the corresponding PCB layout design. He then uses the toner transfer method and a laminator to imprint the circuit into the copper board for later etching and drilling. The challenging soldering process is not detailed, if you need some help soldering SMD sized components we covered some different processes before, from a toaster oven to a drag soldering process with Kapton tape.

Last but not least, the bootloader firmware. This was done using an Arduino UNO working as master and the newly created the Arduino Nano clone as target. After that you’re set to go. To run an actual sketch, just use your standard USB to UART converter to burn it and proceed as usual.

Voilá, from zero to Nano:

Continue reading “From Zero to Nano”