Security Problems with Gas Station Automated Tank Gauges

[HD Moore] recently posted an article on Rapid 7’s blog about an interesting security problem. They’ve been doing some research into the security of automated tank gauges (ATGs). These devices are used at gas stations and perform various functions including monitoring fuel levels, tracking deliveries, or raising alarms. [Moore] says that ATGs are used at nearly every fueling station in the United States, but they are also used internationally. It turns out these things are often not secured properly.

Many ATG’s have a built-in serial port for programming and monitoring. Some systems also have a TCP/IP card, or even a serial to TCP/IP adapter. These cards allow technicians to monitor the system remotely. The most common TCP port used in these systems is port 10001. Some of these systems have the ability to be password protected, but Rapid 7’s findings indicate that many of them are left wide open.

The vulnerability was initial reported to Rapid 7 by [Jack Chadowitz]. He discovered the problem due to his work within the industry and developed his own web portal to help people test their own systems. [Jack] approached Rapid 7 for assistance in investigating the issue on a much larger scale.

Rapid 7 then scanned every IPv4 address looking for systems with an open port 10001. Each live system discovered was then sent a “Get In-Tank Inventory Report” request. Any system vulnerable to attack would respond with the station name, address, number of tanks, and fuel types. The scan found approximately 5,800 systems online with no password set. Over 5,300 of these stations are in the United States.

Rapid 7 believes that attackers may be able to perform such functions as to reconfigure alarm thresholds, reset the system, or otherwise disrupt operation of the fuel tank. An attacker might be able to simulate false conditions that would shut down the fuel tank, making it unavailable for use. Rapid 7 does not believe this vulnerability is actively being exploited in the wild, but they caution that it would be difficult to tell the difference between an attack and a system failure. They recommend companies hide their systems behind a VPN for an additional layer of security.

[Thanks Ellery]

Reprogramming Super Mario World from Inside The Game

[SethBling] recently set a world record speed run of the classic Super Nintendo game Super Mario World on the original SNES hardware. He managed to beat the game in five minutes and 59.6 seconds. How is this possible? He actually reprogrammed the game by moving specific objects to very specific places and then executing a glitch. This method of beating the game was originally discovered by Twitch user [Jeffw356] but it was performed on an emulator. [SethBling] was able to prove that this “credits warp” glitch works on the original hardware.

If you watch the video below, you’ll see [SethBling] visit one of the first available levels in the game. He then proceeds to move certain objects in the game to very specific places. What he’s doing here is manipulating the game’s X coordinate table for the sprites. By moving objects to specific places, he’s manipulating a section of the game’s memory to hold specific values and a specific order. It’s a meticulous process that likely took a lot of practice to get right.

Once the table was setup properly, [SethBling] needed a way to get the SNES to execute the X table as CPU instructions. In Super Mario World, there are special items that Mario can obtain that act as a power up. For example, the mushroom will make him grow in size. Each sprite in the game has a flag to tell the SNES that the item is able to act as a power up. Mario can either collect the power up by himself, or he can use his friendly dinosaur Yoshi to eat the power up, which will also apply the item’s effects to Mario.

The next part of the speed run involves something called the item swap glitch. In the game, Mario can collect coins himself, or Yoshi can also collect them by eating them. A glitch exists where Yoshi can start eating a coin, but Mario jumps off of Yoshi and collects the coin himself simultaneously. The result is that the game knows there is something inside of Yoshi’s mouth but it doesn’t know what. So he ends up holding an empty sprite with no properties. The game just knows that it’s whatever sprite is in sprite slot X.

Now comes the actual item swap. There is an enemy in the game called Chargin’ Chuck. This sprite happens to have the flag set as though it’s a power up. Normally this doesn’t matter because it also has a set flag to tell the game that it cannot be eaten by Yoshi. Also, Chuck is an enemy so it actually hurts Mario rather than act as a power up. So under normal circumstances, this sprite will never actually act as a power up. The developers never programmed the game to properly handle this scenario, because it was supposed to be impossible.

If the coin glitch is performed in a specific location within the level, a Chargin’ Chuck will spawn just after the coin is collected. When the Chuck spawns, it will take that empty sprite slot and suddenly the game believes that Yoshi is holding the Chuck in his mouth. This triggers the power up condition, which as we already know was never programmed into the game. The code ends up jumping to an area of memory that doesn’t contain normal game instructions.

The result of all of this manipulation and glitching is that all of the values in the sprite X coordinate table are executed as CPU instructions. [SethBling] setup this table to hold values that tell the game to jump to the end credits. The console executes them and does as commanded, and the game is over just a few minutes after it began. The video below shows the speed run but doesn’t get too far into the technical details, but you can read more about it here.

This isn’t the first time we’ve seen this type of hack. Speed runs have been performed on Pokemon with very similar techniques. Another hacker managed to program and execute a version of single player pong all from within Pokemon Blue. We can’t wait to see what these game hackers come up with next. Continue reading “Reprogramming Super Mario World from Inside The Game”

Arduino Tetris on a Multiplexed LED Matrix

[Alex] needed a project for his microcomputer circuits class. He wanted something that would challenge him on both the electronics side of things, as well as the programming side. He ended up designing an 8 by 16 grid of LED’s that was turned into a game of Tetris.

He arranged all 128 LED’s into the grid on a piece of perfboard. All of the anodes were bent over and connected together into rows of 8 LED’s. The cathodes were bent perpendicularly and forms columns of 16 LED’s. This way, if power is applied to one row and a single column is grounded, one LED will light up at the intersection. This method only works reliably to light up a single LED at a time. With that in mind, [Alex] needed to have a very high “refresh rate” for his display. He only ever lights up one LED at a time, but he scans through the 128 LED’s so fast that persistence of vision prevents you from noticing. To the human eye, it looks like multiple LED’s are lit up simultaneously.

[Alex] planned to use an Arduino to control this display, but it doesn’t have enough outputs on its own to control all of those lights. He ended up using multiple 74138 decoder/multiplexer IC’s to control the LED’s. Since the columns have inverted outputs, he couldn’t just hook them straight up to the LED’s. Instead he had to run the signals through a set of PNP transistors to flip the logic. This setup allowed [Alex] to control all 128 LED’s with just seven bits, but it was too slow for him.

His solution was to control the multiplexers with counter IC’s. The Arduino can just increment the counter up to the appropriate LED. The Arduino then controls the state of the LED using the active high enable line from the column multiplexer chip.

[Alex] wanted more than just a static image to show off on his new display, so he programmed in a version of Tetris. The controller is just a piece of perfboard with four push buttons. He had to work out all of the programming to ensure the game ran smoothly while properly updating the screen and simultaneously reading the controller for new input. All of this ran on the Arduino.

Can’t get enough Tetris hacks? Try these on for size.

Remotely Controlling Automobiles Via Insecure Dongles

Automobiles are getting smarter and smarter. Nowadays many vehicles run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled. We’re not just talking about the window or seat adjustment controls, but also the instrument cluster, steering, brakes, and accelerator. These systems can make the driving experience better, but they also introduce an interesting avenue of attack. If the entire car is controlled by a computer, then what if an attacker were to gain control of that computer? You may think that’s nothing to worry about, because an attacker would have no way to remotely access your vehicle’s computer system. It turns out this isn’t so hard after all. Two recent research projects have shown that some ODBII dongles are very susceptible to attack.

The first was an attack on a device called Zubie. Zubie is a dongle that you can purchase to plug into your vehicle’s ODBII diagnostic port. The device can monitor sensor data from your vehicle and them perform logging and reporting back to your smart phone. It also includes a built-in GPRS modem to connect back to the Zubie cloud. One of the first things the Argus Security research team noticed when dissecting the Zubie was that it included what appeared to be a diagnostic port inside the ODBII connector.

Online documentation showed the researchers that this was a +2.8V UART serial port. They were able to communicate over this port with a computer with minimal effort. Once connected, they were presented with an AT command interface with no authentication. Next, the team decompiled all of the Python pyo files to get the original scripts. After reading through these, they were able to reverse engineer the communication protocols used for communication between the Zubie and the cloud. One particularly interesting finding was that the device was open for firmware updates every time it checked in with the cloud.

The team then setup a rogue cellular tower to perform a man in the middle attack against the Zubie. This allowed them to control the DNS address associated with the Zubie cloud. The Zubie then connected to the team’s own server and downloaded a fake update crafted by the research team. This acted as a trojan horse, which allowed the team to control various aspects of the vehicle remotely via the cellular connection. Functions included tracking the vehicle’s location, unlocking hte doors, and manipulating the instrument cluster. All of this can be done from anywhere in the world as long as the vehicle has a cellular signal.

A separate but similar project was also recently discussed by [Corey Thuen] at the S4x15 security conference. He didn’t attack the Zubie, but it was a similar device. If you are a Progressive insurance customer, you may know that the company offers a device that monitors your driving habits via the ODBII port called SnapShot. In exchange for you providing this data, the company may offer you lower rates. This device also has a cellular modem to upload data back to Progressive.

After some research, [Thuen] found that there were multiple security flaws in Progressive’s tracker. For one, the firmware is neither signed nor validated. On top of that, the system does not authenticate to the cellular network, or even encrypt its Internet traffic. This leaves the system wide open for a man in the middle attack. In fact, [Thuen] mentions that the system can be hacked by using a rogue cellular radio tower, just like the researchers did with the Zubie. [Thuen] didn’t take his research this far, but he likely doesn’t have too in order to prove his point.

The first research team provided their findings to Zubie who have supposedly fixed some of the issues. Progressive has made a statement that they hadn’t heard anything from [Thuen], but they would be happy to listen to his findings. There are far more devices on the market that perform these same functions. These are just two examples that have very similar security flaws. With that in mind, it’s very likely that others have similar issues as well. Hopefully with findings like this made public, these companies will start to take security more seriously before it turns into a big problem.

[Thanks Ellery]

A SEGA Dreamcast Controller With a Built-in Screen

[Fibbef] was hard at work on a project for a build-off competition when he accidentally fried the circuit board. Not one to give up easily, he opted to start a new project with only two days left in the competition. He managed to modify a SEGA Dreamcast controller to hold a color screen in that short amount of time.

The Dreamcast controller’s shape is somewhat conducive to this type of mod. It already has a small window to ensure the view of the visual memory card is not obstructed. Unfortunately [Fibbef’s] screen was a bit too large for this window. That meant he would have to expand the controller and the circuit board.

After taking the controller apart, he desoldered the memory card connectors. He then cut the circuit board cleanly in half vertically. He had to re-wire all of the traces back together by hand. It turned out initially that he had messed something up and accidentally fried the right half of the controller. To fix it, he cut a second controller in half and soldered the two boards together.

With some more horizontal space to work with on the PCB side of things, [Fibbef] now needed to expand the controller’s housing. He cut the controller into several pieces, making sure to keep the start button centered for aesthetics. He then used duct tape to hold popsicle sticks in place to make up for the missing pieces of the case. All of the sticks were then covered with a thick layer of ABS cement to make for a more rigid enclosure. All of this ended up being covered in Bondo, a common trick in video game console mods. It was then sanded smooth and painted with black primer to make for a surprisingly nice finish.

The screen itself still needed a way to get power and a video signal. [Fibbef] built an adapter box to take both of these signals and pass them to the controller via a single cable. The box as a USB-A connector for power input, and a composite connector for video. There’s also a USB-B connector for the output signals. [Fibbef] uses a standard printer USB cable to send power and video signals to the controller. The end result looks great and serves to make the Dreamcast slightly more portable. Check out the demo video below to see it in action. Continue reading “A SEGA Dreamcast Controller With a Built-in Screen”

DIY Hot Wheels Drag Race Timer

[Apachexmd] wanted to do something fun for his three-year-old son’s birthday party. Knowing how cool race cars are, he opted to build his own Hot Wheels drag race timer. He didn’t take the easy way out either. He put both his electronics and 3D printing skills to the test with this project.

The system has two main components. First, there’s the starting gate. The cars all have to leave the gate at the same time for a fair race, so [Apachexmd] needed a way to make this electronically controlled. His solution was to use a servo connected to a hinge. The hinge has four machine screws, one for each car. When the servo is rotated in one direction, the hinge pushes the screws out through holes in the track. This keeps the cars from moving on the downward slope. When the start button is pressed, the screws are pulled back and the cars are free to let gravity take over.

The second component is the finish line. Underneath the track are four laser diodes. These shine upwards through holes drilled into the track. Four phototransistors are mounted up above. These act as sensors to detect when the laser beam is broken by a car. It works similarly to a laser trip wire alarm system. The sensors are aimed downwards and covered in black tape to block out extra light noise.

Also above the track are eight 7-segment displays; two for each car. The system is able to keep track of the order in which the cars cross the finish line. When the race ends, it displays which place each car came in above the corresponding track. The system also keeps track of the winning car’s time in seconds and displays this on the display as well.

The system runs on an Arduino and is built almost exclusively out of custom designed 3D printed components. Since all of the components are designed to fit perfectly, the end result is a very slick race timer. Maybe next [Apachexmd] can add in a radar gun to clock top speed. Check out the video below to see it in action. Continue reading “DIY Hot Wheels Drag Race Timer”

Simple Directional WiFi Antenna

Back in 2007, [Stathack] rented an apartment in Thailand. This particular apartment didn’t include any Internet access. It turned out that getting a good connection would cost upwards of $100 per month, and also required a Thai identification card. Not wanting to be locked into a 12-month contract, [Stathack] decided to build himself a directional WiFi antenna to get free WiFi from a shop down the street.

The three main components of this build are a USB WiFi dongle, a baby bottle, and a parabolic Asian mesh wire spoon. The spoon is used as a reflector. The parabolic shape means that it will reflect radio signals to a specific focal point. The goal is to get the USB dongle as close to the focal point as possible. [Stathack] did a little bit of math and used a Cartesian equation to figure out the optimal location.

Once the location was determined, [Stathack] cut a hole in the mesh just big enough for the nipple of the small baby bottle. The USB dongle is housed inside of the bottle for weatherproofing. A hole is cut in the nipple for a USB cable. Everything is held together with electrical tape as needed.

[Stathack] leaves this antenna on his balcony aiming down the street. He was glad to find that he is easily able to pick up the WiFi signal from the shop down the street. He was also surprised to see that he can pick up signals from a high-rise building over 1km away. Not bad for an antenna made from a spoon and a baby bottle; plus it looks less threatening than some of the cantenna builds we’ve seen.