Millions of Satellite Receivers are Low-Hanging Fruit for Botnets

Satellite television is prevalent in Europe and Northern Africa. This is delivered through a Set Top Box (STB) which uses a card reader to decode the scrambled satellite signals. You need to buy a card if you want to watch. But you know how people like to get something for nothing. This is being exploited by hackers and the result is millions of these Set Top Boxes just waiting to form into botnets.

This was the topic of [Sofiane Talmat’s] talk at DEF CON 23. He also gave this talk earlier in the week at BlackHat and has published his slides (PDF).

stb-hardwareThe Hardware in Satellite receivers is running Linux. They use a card reader to pull in a Code Word (CW) which decodes the signal coming in through the satellite radio.

An entire black market has grown up around these Code Words. Instead of purchasing a valid card, people are installing plugins from the Internet which cause the system to phone into a server which will supply valid Code Words. This is known as “card sharing”.

On the user side of things this just works; the user watches TV for free. It might cause more crashes than normal, but the stock software is buggy anyway so this isn’t a major regression. The problem is that now these people have exposed a network-connected Linux box to the Internet and installed non-verified code from unreputable sources to run on the thing.

[Sofiane] demonstrated how little you need to know about this system to create a botnet:

  • Build a plugin in C/C++
  • Host a card-sharing server
  • Botnet victims come to you (profit)

It is literally that easy. The toolchain to compile the STLinux binaries (gcc) is available in the Linux repos. The STB will look for a “bin” directory on a USB thumb drive at boot time, the binary in that folder will be automatically installed. Since the user is getting free TV they voluntarily install this malware.

Click through for more on the STB Hacks.

Continue reading “Millions of Satellite Receivers are Low-Hanging Fruit for Botnets”

Hacking a KVM: Teach a Keyboard Switch to Spy

When it comes to large systems, there are a lot more computers than there are people maintaining them. That’s not a big deal since you can simply use a KVM to connect one Keyboard/Video/Mouse terminal up to all of them, switching between each box simply and seamlessly. The side effect is that now the KVM has just as much access to all of those systems as the human who caresses the keyboard. [Yaniv Balmas] and [Lior Oppenheim] spent some time reverse engineering the firmware for one of these devices and demonstrated how shady firmware can pwn these systems, even when some of the systems themselves are air-gapped from the Internet. This was their first DEF CON talk and they did a great job of explaining what it took to hack these devices.

Continue reading “Hacking a KVM: Teach a Keyboard Switch to Spy”

Cory Doctorow Rails Against the Effect of DRM and the DMCA

If you weren’t at [Cory Doctorow’s] DEF CON talk on Friday you missed out. Fighting Back in the War on General Purpose Computing was inspiring, informed, and incomparable. At the very lowest level his point was that it isn’t the devices gathering data about us that is the big problem, it’s the legislation that makes it illegal for us to make them secure. The good news is that all of the DEF CON talks are recorded and published freely. While you wait for that to happen, read on for a recap and to learn how you can help the EFF fix this mess.

Continue reading “Cory Doctorow Rails Against the Effect of DRM and the DMCA”

Hacker Airlines: United Awards 1M Air Miles For Vulnerability

We’re really happy to see companies getting serious about rewarding white hat hackers. The latest example of this is when [Jordan Wiens] submitted two bugs and was awarded 1,000,000 Sky Miles on United Airlines.

The bounty is so high because he uncovered a method of remote code execution which United has since patched. Unfortunately, United requires bug secrecy so we’re not getting any of the gritty details like we have for some of the recently discovered Facebook vulnerabilities. That’s really too bad because sharing the knowledge about what went wrong helps programmers learn to avoid it in the future. But we still give United a big nod for making this kind of work and responsible reporting worthwhile. [Jordan] did an AMA last night which covered some more general hacking questions.

If you want to turn your leet skills into free travel you need to be a MileagePlus member and not reside in a US sanctioned country. Details on United’s Bug Bounty page.

ProxyGambit Better Than ProxyHam; Takes Coffee Shop WiFi Global

Last weekend saw the announcement of ProxyHam, a device that anonymizes Internet activity by jumping on WiFi from public libraries and cafes over a 900MHz radio link. The project mysteriously disappeared and was stricken from the DEFCON schedule. No one knows why, but we spent some time speculating on that and on what hardware was actually used in the undisclosed build.

[Samy Kamkar] has just improved on the ProxyHam concept with ProxyGambit, a device that decouples your location from your IP address. But [Samy]’s build isn’t limited to ProxyHam’s claimed two-mile range. ProxyGambit can work anywhere on the planet over a 2G connection, or up to 10km (6 miles) away through a line-of-sight point to point wireless link.

The more GSM version of ProxyGambit uses two Adafruit FONA GSM breakout boards, two Arduinos, and two Raspberry Pis. The FONA board produces an outbound TCP connection over 2G. The Arduino serves as a serial connection over a reverse TCP tunnel and connects directly to the UART of a Raspberry Pi. The Pi is simply a network bridge at either end of the connection. By reverse tunneling a TCP connection through the ‘throwaway’ part of the build, [Samy] can get an Internet connection anywhere that has 2G service.

Although it’s just a proof of concept and should not be used by anyone who actually needs anonymity, the ProxyGambit does have a few advantages over the ProxyHam. It’s usable just about everywhere on the planet, and not just within two miles of the public WiFi access point. The source for ProxyGambit is also available, something that will never be said of the ProxyHam.

How To Build A ProxyHam Despite A Cancelled DEFCON Talk

A few days ago, [Ben Caudill] of Rhino Security was scheduled to give a talk at DEFCON. His project, ProxyHam, is designed for those seeking complete anonymity online. Because IP addresses can be tied to physical locations, any online activities can be tracked by oppressive regimes and three letter government agencies. Sometimes, this means doors are breached, and “seditious” journalists and activists are taken into custody.

With the ProxyHam, the link between IP addresses and physical locations is severed. ProxyHam uses a 900MHz radio link to bridge a WiFi network over miles. By hiding a ProxyHam base station in a space with public WiFi, anyone can have complete anonymity online; if the government comes to take you down, they’ll first have to stop at the local library, Starbucks, or wherever else has free WiFi.

[Ben Caudill] will not be giving a talk at DEFCON. It wasn’t the choice of DEFCON organizers to cancel the talk, and it wasn’t his employers – [Ben] founded and is principal consultant at Rhino Security. The talk has been killed, and no one knows why. Speculation ranges from National Security Letters to government gag orders to a far more pedestrian explanations like, “it doesn’t work as well as intended.” Nevertheless, the details of why the ProxyHam talk was cancelled will never be known. That doesn’t mean this knowledge is lost – you can build a ProxyHam with equipment purchased from Amazon, Newegg, or any one of a number of online retailers.

Continue reading “How To Build A ProxyHam Despite A Cancelled DEFCON Talk”

True Random Number Generator for a True Hacker

How can you generate random bits? Some people think it’s not easy, others will tell you that it’s pretty damn hard, and then there are those who wonder if it is possible at all. Of course, it is easy to create a very long pseudorandom sequence in software, but even the best PRNG (Pseudorandom Number Generator) needs a good random seed, as we don’t want to get the same sequence each time we switch on the unit, do we? That’s why we need a TRNG (True Random Number Generator), but that requires special hardware.

Some high-end microprocessors are equipped with an internal hardware TRNG, but it is, unfortunately, not true for most low-cost microcontrollers. There are a couple of tricks hackers use to compensate. They usually start the internal free running counter and fetch its contents when some external event occurs (user presses a button, or so). This works, but not without disadvantages. First, there is the danger of “locking” those two events, as a timer period may be some derivative of input scan routine timing. Second, the free running time (between switching on and the moment the unit requests a random number) is often too short, resulting in the seed being too close to the sequence start, and thus predictable. In some cases even, there is no external input before the unit needs a random seed!

Despite what has already been discussed, microcontrollers do have a source of true randomness inside them. While it might not be good enough for crypto applications, it still generates high enough entropy for amusement games, simulations, art gadgets, etc.

Continue reading “True Random Number Generator for a True Hacker”