security hacks

War Gaming for Security Cred

February 8, 2015 by 11 Comments

Maybe you are an elite hax0r. But probably not. Maybe you feel like you should know more about how systems are compromised, and we’re all about that. You can’t keep the black hats out if you have no idea how they go about breaking in in the first place. That’s why war-gaming sites sprouted up in the first place. We find this one in particular to be delightfully engaging. OverTheWire’s Wargames teach you a little about security while the uninitiated also learn about simple concepts like SSH and, well… Linux!

On-the-job training is the best way to learn, and this is pretty close to it. Instead of providing an artificial avenue of learning the creators of OverTheWire have used the real thing to illustrate poor online security. You don’t “play the game” on an artificial web interface, you do it on legitimate platforms. The very first level (appropriately named Level 0) starts by figuring out how to connect to a system using Secure Shell (aka SSH). From there you’re prompted to use Linux command line tools to figure out where to go next.

Even veteran Linux/Security users should find this offering entertaining. The early stages are both quick and simple to navigate as an experienced admin while providing a welcoming learning platform for those who aren’t quite there yet. Work your way through a few different “servers” and before long your own knowledge will be tested. This isn’t a new platform, mentions of the site in Hackaday comments go back to 2010. But if you haven’t given it a try, Wargames is well worth adding to your weekend entertainment list.

[Thanks NightPhoenix]

BMW Remote Unlock Wasn’t Using Secure HTTP

February 1, 2015 by 33 Comments

Ah, the old HTTP versus HTTPS. If you want to keep people out, that trailing ‘S’ should be the first thing you do, especially if you’re trying to keep people out of a luxury automobile. It turns out that BMW screwed up on that one.

BMW has an infotainment feature called ConnectedDrive which builds your favorite apps and services right into the dashboard. You can even unlock the vehicle using this system which is built around a piece of hardware that includes a GSM modem and permanent SIM card. A security research group recently discovered that the commands sent for this system were being pushed over HTTP, the unencrypted sibling of HTTPS. The firm, hired by German automobile club ADAC, disclosed the vulnerability and an over-the-air upgrade has already been pushed to patch the flaw. The patch is described to have “turned on” the HTTPS which makes us think that it was always meant to be used and just configured incorrectly in the roll-out. We’ll leave you to debate that point in the comments. Seriously, how does something like this happen? It certainly sheds a lot more light on thieves being able to magically unlock high-end cars. Was this how they were doing it?

[Thanks Fabian]

Cracking Weather Station Checksum

January 30, 2015 by 7 Comments

[BaronVonSchnowzer] is spinning up some home automation and settled on an inexpensive ambient temperature sensor which is sold to augment the data a home weather station collects. He found that the RF protocol had been reverse engineered and will use this information to harvest data from a sensor in each room. In true hacker fashion, he rolled his own advances out to the Internet so that others may benefit. Specifically, he reverse engineered the checksum used by the Ambient F007TH.

He got onto this track after trying out the Arduino sketch written to receive the sensor’s RF communications. One peculiar part of the code turned out to be a filter for corrupt messages as the protocol’s checksum hadn’t yet been worked out. Figuring out how the checksum byte owrks wasn’t an easy process. The adventure led him to dump 13k samples into a spreadsheet to see if sorting similar sets of 5-byte message and 1-byte checksum would shed some light on the situation. The rest of the story is some impressive pattern matching that led to the final algorithm. Now [BaronVonSchnowzer] and anyone else using these modules can filter out corrupt data in the most efficient way possible.

Resurrecting Capcom’s Kabuki

January 28, 2015 by 31 Comments

About a dozen old Capcom arcade titles were designed to run on a custom CPU. It was called the Kabuki, and although most of the core was a standard Z80, a significant portion of the die was dedicated to security. The problem back then was arcade board clones, and when the power was removed from a Kabuki CPU, the memory contents of this security setup were lost, the game wouldn’t play, and 20 years later, people writing emulators were tearing their hair out.

Now that these games are decades old, the on-chip security for the Kabuki CPU is a problem for those who have taken up the task of preserving these old games. However, now these CPUs can be decuicided, programming the chip and placing them in an arcade board without losing their memory contents.

Earlier we saw [ArcadeHacker] a.k.a. [Eduardo]’s efforts to resurrect these old CPUs. He was able to run new code on the Kabuki, but to run the original, unmodified ROMs that came in these arcade games required hardware. Now [ArcadeHacker] has it.

The setup consists of a chip clip that clamps over the Kabuki CPU. With a little bit of Arduino code, the security keys for original, unmodified ROMs can be flashed, put into the arcade board (where the contents of the memory are backed up by a battery), and the clip released. [ArcadeHacker] figures this is how each arcade board was programmed in the factory.

If you’re looking for an in-depth technical description of how to program a Kabuki, [ArcadeHacker] has an incredibly detailed PDF right here.

Continue reading “Resurrecting Capcom’s Kabuki”

Laser Trip Wire With Keypad Arming

January 28, 2015 by 17 Comments

Most of us have had a sibling that would sneak into our room to swipe a transistor, play your guitar or just mess with your stuff in general. Now there’s a way to be immediately alerted when said sibling crosses the line, literally. [Ronnie] built a laser trip wire complete with an LCD screen and keypad for arming and disarming the system.

The brains of the project is an Arduino. There’s a keypad for inputting pass codes and an LCD screen for communicating if the entered code is correct or not. [Ronnie] wrote his own program using the keypad.h, liquidcrystal.h and password.h libraries. A small laser pointer is shined at a Light Dependent Resistor which in turn outputs an analog signal to the Arduino. When the laser beam is interrupted, the output voltage drops, the Arduino sees that voltage drop and then turns on the alarm buzzer. The value that triggers the alarm is set mid-way between the values created by normal daylight and when the laser beam is hitting the LDR. [Ronnie] made his code and wiring diagram available for anyone who’s interested in making their own laser trip wire.

Hopefully, [Ronnie’s] pesky little brother didn’t watch his YouTube video (view it after the break) to find out the secret pass code. For a laser trip wire sans keypad, check out this portable one.

Continue reading “Laser Trip Wire With Keypad Arming”

Motion Activated Alarm for your Bag

January 27, 2015 by 23 Comments

Many of us carry around a bag with our expensive personal belongings. It can be a pain to carry a bag around with you all day though. If you want to set it down for a while, you often have to try to keep an eye on it to ensure that no one steals it. [Micamelnyk] decided to build a solution to this problem in the form of a motion sensing alarm.

The device is built around a Trinket Pro. The Trinket Pro is a sort of break out board for the ATMega328. It’s compatible with the Arduino IDE and also contains a USB port for easy programming. The Trinket is hooked up to a GY-521 accelerometer, which allows it to detect motion. When the Trinket senses that the device has been moved, it emits a loud high-pitched whine from a piezo speaker.

To arm the device, the user first holds the power button for 3 seconds. Then the user has ten seconds to enter their secret code. This ensures that the device is never armed accidentally and that the user always remembers the code before arming the device. The code is entered via four push buttons mounted to a PCB. The code and code length can both be easily modified in the Trinket software.

Once the code is entered, the status LED will turn solid. This indicates to the user that the device must be placed stationary. The LED will turn off after 20 seconds, indicating that the alarm is now armed. If the bag is moved for more than five seconds at a time, the alarm will sound. The slight delay gives the user just enough time to disarm the alarm. This parameter can also be easily configured via software.

Using HID Tricks to Drop Malicious Files

January 27, 2015 by 38 Comments

[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.

The system runs on a Teensy 3.0. The Teensy is like a very small version of Arduino that has built-in functionality for emulating human interface devices, such as keyboards. This means that you can trick a computer into believing the Teensy is a keyboard. The computer will treat it as such, and the Teensy can enter keystrokes into the computer as though it were a human typing them. You can see how this might be a security problem.

[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker. The script might download a trojan virus, or it might create a shortcut on the user’s desktop which will run a malicious script. The device can also create hot keys that will run a specific script every time the user presses that key.

Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations. Web filtering would also help in this specific case, since the attack relies on downloading files from the web. Your best bet might be to train users to not plug in any old USB device they find lying around. Regardless of the methodology, it’s important to know that this stuff is out there in the wild.