Building a Final Key

Final Key

Remembering passwords is a pain, and there’s a number of devices out there to make it easier. If you’re looking to roll your own, this guide to building a Final Key will walk you through the process.

We talked about the Final Key before. It’s a one button password manager that encrypts and stores your password. It acts as a virtual serial port for configuration. When you hit the button, it becomes a keyboard and types in the correct password.

The creator has no intentions of making this a commercial project for a number of reasons. Instead, easy build instructions are provided based on the Arduino Pro Micro. The 24LC512 EEPROM can be soldered directly to the Arduino by bending out the DIP legs. A few resistors, a button, and an LED finish off the project. The last step is to fill it with hot glue to prevent tampering.

The Final Key firmware is available on Github, and the case can be ordered from Shapeways. If you’re interested in hardware password management, you can also check out the Mooltipass which is being developed on Hackaday.

[Thanks to Lars for the tip!]

Sniping 2.4GHz

sniper

A long time ago when WiFi and Bluetooth were new and ‘wardriving’ was still a word, a few guys put a big antenna on a rifle and brought it to DefCon. Times have changed, technology has improved, and now [Hunter] has built his own improved version.

The original sniper Yagi was a simple device with a 2.4 GHz directional antenna taped onto the barrel, but without any real computational power. Now that displays, ARM boards, and the software to put this project all together are cheap and readily available, [Hunter] looked towards ubiquitous computing platforms to make his Sniper Yagi a little more useful.

This version uses a high gain (25dBi) antenna, a slick fold-out screen, and a Raspberry Pi loaded up with Raspberry Pwn, the pentesting Raspi distro, to run the gun. There’s a button connected to the trigger that will automatically search the WiFi spectrum for the best candidate for cracking and… get cracking.

[Hunter] says he hasn’t taken this highly modified airsoft rifle outside, nor has he pointed out a window. This leaves us with the question of how he’s actually testing it, but at least it looks really, really cool.

Electric Imp Locks and Unlocks your Door Automatically

2013-11-19 14.23.18

When the folks over at PinMeTo moved into a new office, they were dismayed to find out an extra key would run them a whopping 500 sek (~$75 USD). Instead, they decided to build their own automatic door lock using the Electric Imp system.

If you’re not familiar, the Electric Imp is a small SD card designed to provide internet (Wi-Fi) functionality to consumer devices. While it looks like an SD card, you cannot just plug it into any SD card slot and expect it to work — it still needs a prototyping board. We’ve seen it used to make a wireless thermal printer, or even make a tweeting cat door to let you know of any feline intruders!

Anyway — back to the hack. To move the lock cylinder they’re using a basic RC servo connected directly to the Imp. A flex sensor is installed on the side of the door over-top the lock — this provides feedback to the Imp whether or not the door is in fact locked. The Imp then communicates to Everymote to allow for keypad access from your mobile phone.

It probably ended up costing more in time and money than a new key, but hey, it looks like it was a fun project to do!

Using Bitcoin To Detect Malware

vigil

Now that you can actually buy things with bitcoins, it’s become a playground for modern malware authors. [Eric] recently lost about 5 BTC because of some malware he installed and decided to do something about it. He came up with BitcoinVigil, a web service that constantly looks at bitcoin honeypots and alerts you when bitcoins are surreptitiously removed.

The idea behind BitcoinVigil is to set up a Bitcoin wallet with a small amount of coins in it – only about $10 USD worth. When modern, Bitcoin-seeking malware is run on a computer, it looks for this ‘moneypot’ and sends an email out notifying the owner of the coins to stolen money.

[Eric] was at a LAN party a few weeks ago and ‘borrowed’ a friend’s copy of Starcraft 1. Just a few seconds after installing it, he received an alert notifying him about a few stolen bitcoins. This time [Eric] only lost a few microBTC, but better than the thousands of USD he lost before.

MSP430-Based CTF Hardware Hacking Challenge

Hardware 'Flag'

Hacking conferences often feature a Capture the Flag, or CTF event. Typically, this is a software hacking challenge that involves breaking into targets which have been set up for the event, and capturing them. It’s good, legal, hacking fun.

However, some people are starting to build CTFs that involve hardware hacking as well. [Balda]‘s most recent hardware hacking challenge was built for the Insomni’hack 2014 CTF. It uses an MSP430 as the target device, and users are allowed to enter commands to the device over UART via a Bus Pirate. Pull off the exploit, and the wheel rotates to display a flag.

For the first challenge, contestants had to decompile the firmware and find an obfuscated password. The second challenge was a bit more complicated. The password check function used memcpy, which made it vulnerable to a buffer overflow attack. By overwriting the program counter, it was possible to take over control of the program and make the flag turn.

The risk of memcpy reminds us of this set of posters. Only abstaining from memcpy can 100% protect you from overflows and memory disclosures!

 

Malware In A Mouse

mouser

Keyloggers, in both hardware and software forms, have been around for a long, long time. More devious keyloggers are smart enough to ‘type’ commands into a computer and install Trojans, back doors, and other really nasty stuff. What about mice, though? Surely there’s no way the humble USB mouse could become an avenue of attack for some crazy security shenanigans, right?

As it turns out, yes, breaking into a computer with nothing but a USB mouse is possible. The folks over at CT Magazine, the preeminent German computer rag, have made the Trojan mouse (German, terrible Google translation)

The only input a mouse receives are button presses, scroll wheel ticks, and the view from a tiny, crappy camera embedded in the base. The build reads this camera with an Arduino, and when a certain pattern of gray and grayer pixels appear, it triggers a command to download a file from the Internet. From there, and from a security standpoint, Bob’s your uncle.

Looking through the camera inside a mouse is nothing new; it’s been done over the Internet and turned into the worst scanner ever made. Still, being able to process that image data and do something with it is very cool. Just don’t accept mouse pads from strangers.

Danke [Ianmcmill] for the tip.

Automated Phone Cracker/App Tester Steps it Up a Notch

delta bot cracks your passwords

Delta robots like this automated phone tester are awesome: high speed, accuracy, and mesmerizing to watch. [Justin Engler], a security researcher from ISEC Partners (also speaks at DEFCON on occasion) needed a robot to help with repetitive testing. He contacted the folks over at Marginally Clever to see if they could help him out, and they came up with this slick delta robot.

Normally they build these robots out of plywood, but [Justin] requested a bit more of a modern look, and although it looks blue, it’s actually clear acrylic: they haven’t removed the protective film yet.  The robot is quite functional, but [Justin] plans on upgrading it in the future to increase the top speed. It currently has a built-in camera, using OpenCV to watch the log-in screen as it tries every combination as quickly as possible.

Stick around to see it in action!

[Read more...]