Hacking the D-Link DSP-W215 Smart Plug

DSP-W215

The D-Link DSP-W215 Smart Plug, a wireless home automation device for monitoring and controlling electrical outlets has just been hacked. Even though it isn’t readily available from Amazon or Best Buy yet, the firmware is already up on D-Link’s web site. The very well detailed write-up explains all the steps that led to this exploit creation.

First, the firmware was unpacked to examine the file system contents. It was found that the smart plug doesn’t have a normal web-based interface as users are expected to configure it using D-Link’s Android/iOS app. The apps however, appear to use the Home Network Administration Protocol (HNAP) to talk to the smart plug running a lighthttpd server. A look at the latter’s configuration file revealed the functions that could be called without any authentication. Another revealed that the firmware could accept an unlimited amount of POST request bytes which were copied in a fix length buffer without any performed checks. We’ll let our readers head to the original article to see where the author went from this point.

Samsung NX300 Gets Rooted

sammy

[Ge0rg] got himself a fancy new Samsung NX300 mirrorless camera. Many of us would just take some pretty pictures, but not [Ge0rg], he wanted to see what made his camera tick. Instead of busting out the screwdrivers, he started by testing his camera’s security features.

The NX300 is sold as a “smart camera” with NFC and WiFi connectivity. The NFC connectivity turns out to be just an NXP NTAG203 tag embedded somewhere in the camera. This is similar to the NFC tags we gave away at The Gathering in LA. The tag is designed to launch an android app on a well equipped smartphone. The tag can be write-locked, but Samsung didn’t set the lock bit. This means you can reprogram and permanently lock the tag as a link to your favorite website.

[Ge0rg] moved on to the main event, the NX300′s WiFi interface. A port scan revealed the camera is running an unprotected X server and Enlightenment. Let that sink in for a second. The open X server means that an attacker can spoof keystrokes, push images, and point applications to the camera’s screen.

In a second blog post, [Ge0rg] tackled attaining root access on the camera. Based on the information he had already uncovered, [Ge0rg] knew the camera was running Linux. Visiting Samsung’s open source software center to download the open source portions of the NX300 confirmed that. After quite a bit of digging and several red herrings, [Ge0rg] found what he was looking for. The camera would always attempt to run an autoexec.sh from the SD Card’s root folder at boot. [Ge0rg] gave the camera the script it was looking for, and populated it with commands to run BusyBox’s telnet daemon.  That’s all it took – root shell access was his.

 

[Image via Wikimedia Commons/Danrok]

Game Boy vs. Electronic Shelf Labels

SANYO DIGITAL CAMERAWhile they’re probably rare as hen’s teeth in the US, there have been a few major stores around the world that have started rolling out electronic shelf labels for every item in the store. These labels ensure every item on a shelf has the same price as what’s in the store’s computer, and they’re all controlled by an infrared transceiver hanging on the store’s ceiling. After studying one of these base stations, [furrtek] realized they’re wide open if you have the right equipment. The right equipment, it turns out, is a Game Boy Color.

The shelf labels in question are controlled by a base station with a decidedly non-standard carrier frequency and a proprietary protocol. IR driver chips found in phones are too slow to communicate with these labels, and old PDAs like Palm Pilots, Zauruses, and Pocket PCs only have an IrDA chip. There is one device that has an active development scene and an IR LED connected directly to a CPU pin, though, so [furrtek] started tinkering around with the hardware.

The Game Boy needed to be overclocked to get the right carrier frequency of 1.25 MHz. With a proof of concept already developed on a FPGA board, [furrtek] started coding for the Game Boy, developing an interface that allows him to change the ‘pages’ of these electronic labels, or display customized data on a particular label.

There’s also a much, much more facepalming implication of this build: these electronic labels’ firmware is able to be updated through IR. All [furrtek] needs is the development tools for the uC inside one of these labels.

There’s a great video [furrtek] put together going over this one. Check that out below.

Continue reading “Game Boy vs. Electronic Shelf Labels”

Building a Final Key

Final Key

Remembering passwords is a pain, and there’s a number of devices out there to make it easier. If you’re looking to roll your own, this guide to building a Final Key will walk you through the process.

We talked about the Final Key before. It’s a one button password manager that encrypts and stores your password. It acts as a virtual serial port for configuration. When you hit the button, it becomes a keyboard and types in the correct password.

The creator has no intentions of making this a commercial project for a number of reasons. Instead, easy build instructions are provided based on the Arduino Pro Micro. The 24LC512 EEPROM can be soldered directly to the Arduino by bending out the DIP legs. A few resistors, a button, and an LED finish off the project. The last step is to fill it with hot glue to prevent tampering.

The Final Key firmware is available on Github, and the case can be ordered from Shapeways. If you’re interested in hardware password management, you can also check out the Mooltipass which is being developed on Hackaday.

[Thanks to Lars for the tip!]

Sniping 2.4GHz

sniper

A long time ago when WiFi and Bluetooth were new and ‘wardriving’ was still a word, a few guys put a big antenna on a rifle and brought it to DefCon. Times have changed, technology has improved, and now [Hunter] has built his own improved version.

The original sniper Yagi was a simple device with a 2.4 GHz directional antenna taped onto the barrel, but without any real computational power. Now that displays, ARM boards, and the software to put this project all together are cheap and readily available, [Hunter] looked towards ubiquitous computing platforms to make his Sniper Yagi a little more useful.

This version uses a high gain (25dBi) antenna, a slick fold-out screen, and a Raspberry Pi loaded up with Raspberry Pwn, the pentesting Raspi distro, to run the gun. There’s a button connected to the trigger that will automatically search the WiFi spectrum for the best candidate for cracking and… get cracking.

[Hunter] says he hasn’t taken this highly modified airsoft rifle outside, nor has he pointed out a window. This leaves us with the question of how he’s actually testing it, but at least it looks really, really cool.

Electric Imp Locks and Unlocks your Door Automatically

2013-11-19 14.23.18

When the folks over at PinMeTo moved into a new office, they were dismayed to find out an extra key would run them a whopping 500 sek (~$75 USD). Instead, they decided to build their own automatic door lock using the Electric Imp system.

If you’re not familiar, the Electric Imp is a small SD card designed to provide internet (Wi-Fi) functionality to consumer devices. While it looks like an SD card, you cannot just plug it into any SD card slot and expect it to work — it still needs a prototyping board. We’ve seen it used to make a wireless thermal printer, or even make a tweeting cat door to let you know of any feline intruders!

Anyway — back to the hack. To move the lock cylinder they’re using a basic RC servo connected directly to the Imp. A flex sensor is installed on the side of the door over-top the lock — this provides feedback to the Imp whether or not the door is in fact locked. The Imp then communicates to Everymote to allow for keypad access from your mobile phone.

It probably ended up costing more in time and money than a new key, but hey, it looks like it was a fun project to do!

Using Bitcoin To Detect Malware

vigil

Now that you can actually buy things with bitcoins, it’s become a playground for modern malware authors. [Eric] recently lost about 5 BTC because of some malware he installed and decided to do something about it. He came up with BitcoinVigil, a web service that constantly looks at bitcoin honeypots and alerts you when bitcoins are surreptitiously removed.

The idea behind BitcoinVigil is to set up a Bitcoin wallet with a small amount of coins in it – only about $10 USD worth. When modern, Bitcoin-seeking malware is run on a computer, it looks for this ‘moneypot’ and sends an email out notifying the owner of the coins to stolen money.

[Eric] was at a LAN party a few weeks ago and ‘borrowed’ a friend’s copy of Starcraft 1. Just a few seconds after installing it, he received an alert notifying him about a few stolen bitcoins. This time [Eric] only lost a few microBTC, but better than the thousands of USD he lost before.