Bad Code Results in Useless Passwords

[HeadlessZeke] was excited to try out his new AT&T wireless cable box, but was quickly dismayed by the required wireless access point that came bundled with it. Apparently in order to use the cable box, you also need to have this access point enabled. Not one to blindly put unknown devices on his network, [HeadlessZeke] did some investigating.

The wireless access point was an Arris VAP2500. At first glance, things seemed pretty good. It used WPA2 encryption with a long and seemingly random key. Some more digging revealed a host of security problems, however.

It didn’t take long for [HeadlessZeke] to find the web administration portal. Of course, it required authentication and he didn’t know the credentials. [HeadlessZeke] tried connecting to as many pages as he could, but they all required user authentication. All but one. There existed a plain text file in the root of the web server called “admin.conf”. It contained a list of usernames and hashed passwords. That was strike one for this device.

[HeadlessZeke] could have attempted to crack the passwords but he decided to go further down this rabbit hole instead. He pulled the source code out of the firmware and looked at the authentication mechanism. The system checks the username and password and then sets a cookie to let the system know the user is authenticated. It sounds fine, but upon further inspection it turned out that the data in the cookie was simply an MD5 hash of the username. This may not sound bad, but it means that all you have to do to authenticate is manually create your own cookie with the MD5 hash of any user you want to use. The system will see that cookie and assume you’ve authenticated. You don’t even have to have the password! Strike two.

Now that [HeadlessZeke] was logged into the administration site, he was able to gain access to more functions. One page actually allows the user to select a command from a drop down box and then apply a text argument to go with that command. The command is then run in the device’s shell. It turned out the text arguments were not sanitized at all. This meant that [HeadlessZeke] could append extra commands to the initial command and run any shell command he wanted. That’s strike three. Three strikes and you’re out!

[HeadlessZeke] reported these vulnerabilities to Arris and they have now been patched in the latest firmware version. Something tells us there are likely many more vulnerabilities in this device, though.

[via Reddit]

Retrotechtacular: Ma Bell’s Advanced Mobile Phone Service (AMPS)

This gem from the AT&T Archive does a good job of explaining the first-generation cellular technology that AT&T called Advanced Mobile Phone Service (AMPS). The hexagon-cellular network design was first conceived at Bell Labs in 1947. After a couple of decades spent pestering the FCC, AT&T was awarded the 850MHz band in the late 1970s. It was this decision coupled with the decades worth of Bell System technical improvements that gave cellular technology the bandwidth and power to really come into its own.

AT&T’s primary goals for the AMPS network were threefold: to provide more service to more people, to improve service quality, and to lower the cost to subscribers. Early mobile network design gave us the Mobile Service Area, or MSA. Each high-elevation transmitter could serve a 20-mile radius of subscribers, a range which constituted one MSA. In the mid-1940s, only 21 channels could be used in the 35MHz and 150MHz band allocations. The 450MHz band was introduced in 1952, provided another 12 channels.

repeated channelsThe FCC’s allocation opened a whopping 666 channels in the neighborhood of 850MHz. Bell Labs’ hexagonal innovation sub-divided the MSAs into cells, each with a radius of up to ten miles.

The film explains quite well that in this arrangement, each cell set of seven can utilize all 666 channels. Cells adjacent to each other in the set must use different channels, but any cell at least 100 miles away can use the same channels. Furthermore, cells can be subdivided or split. Duplicate frequencies are dealt with through the FM capture effect in which the weaker signal is suppressed.

Those Bell System technical improvements facilitated the electronic switching that takes place between the Mobile Telephone Switching Office (MTSO) and the POTS landline network. They also realized the automatic control features required of the AMPS project, such as vehicle location and automatic channel assignment. The film concludes its lecture with step-by-step explanations of inbound and outbound call setup where a mobile device is concerned.

Continue reading “Retrotechtacular: Ma Bell’s Advanced Mobile Phone Service (AMPS)”

Hackaday Links: October 5th, 2014

Good news from CadSoft this week. They didn’t miss all the complaints about their decision to use a Node Lock License for EAGLE 7. This had meant that users of the popular PCB design software would be limit on how many machines they could use the software with a license. They have removed License Management from the package (and all the citizens rejoiced).

We’re tripping over the growing pile of hardware that boast the “next-big-thing” in getting devices onto a network. That’s not a complaint at all. This time around it’s a cell chip, the U-blox SARA-U260, which can connect to 3G on the AT&T network and is just 16x26mm. They call it world’s smallest but we have no idea if that’s true or not. Anyone have a source and/or pricing for these? [Thanks Austin]

This guy loves his Nixie tube. How much? To the extent that he built up a hardware and software interface that behaves much like a pet. It’s voice activated, and the infectious delight of [Glasslinger’s] video demo is in itself worth watching. [Thanks Morris]

Making this Magnetic Stripe Reader work as a USB device is really nothing more than adding a serial-to-USB converter. The journey to find the way to add the converter makes for a fun read though.

We know from watching Breaking Bad that you can kill power to a building by shorting the power lines outside with a huge bouquet of mylar balloons. This installation is a twist on the idea. Connecting one mylar balloon to a Van de Graaff generator and floating it next to another results in an oscillating repel-discharge-repel cycle. [Thanks filnt via NPR]

How to Upgrade Jasper’s Voice Recognition with AT&T’s Speech-to-Text API

Jarvis upgrade

Jasper is an open-source platform for developing always-on voice-controlled applications — you talk and your electronics listen! It’s designed to run on a Raspberry Pi. [Zach] has been playing around with it and wasn’t satisfied with Jasper’s built-in speech-to-text recognition system. He decided to take the advice of the Jasper development team and modify the system to use AT&T’s speech-to-text engine.

The built-in system works, but it has limitations. Mainly, you have to specify exactly which keywords you want Jasper to look out for. This can be problematic if you aren’t sure what the user is going to say. It can also cause problems when there are many possibilities of what the user might say. For example if the user is going to say a number between one and one hundred, you don’t want to have to type out all one hundred numbers into the voice recognition system in order to make it work.

The Jasper FAQ does recommend using the AT&T’s speech-to-text engine in this situation but this has its own downsides. You are limited to only one request per second and it’s also slower to recognize the speech. [Zach] was just fine with these restrictions but he couldn’t find much information online about how to modify Jasper to make the AT&T engine work. Now that he’s gotten it functional, he shared his work to make it easier for others.

The modification first requires that you have at AT&T developer account. Once that’s setup, you need to make some changes to Jasper’s mic.py module. That’s the only part of Jasper’s core that must be changed, and it’s only a few lines of code. Outside of that, there are a couple of other Python scripts that need to be added. We won’t go into the finer details here since [Zach] goes into great detail on his own page, including the complete scripts. If you are interested in using the AT&T module with your Jasper installation, be sure to check out [Zach’s] work. He will likely save you a lot of time.

 

VCF East: PR1ME And AT&T Unix Boxes

unix

At the Vintage Computer Festival last weekend, there was a wonderful representation of small 8 and 16-bit home computers from the 80s, an awful lot of PDP and VAX-based minicomputers, and even some very big iron in the form of a UNIVAC and a Cray. You might think this is a good representation of computing history, but there was actually a huge gap in the historical reality. Namely, workstations and minicomputers that weren’t made by DEC.

[Ian Primus] was one of the very few people to recognize this shortcoming and brought his PRIME minicomputer. This was a huge, “two half racks, side by side” computer running PRIMOS, an operating system written in FORTRAN. Of course this made it extremely popular with engineering teams, but that doesn’t mean [Ian] can’t have fun with it. He had two terminals set up, one running Dungeon (i.e. Zork pre-Infocom) and a text-based lunar lander game.

Because the VCF East is held in New Jersey, it’s probably no surprise a few vintage AT&T Unix boxes showed up. [Anthony Stramaglia] brought in a few very cool vintage Unix workstations, dating from the early to mid 80s. In the video, he shows off two AT&T boxes. The first is a UNIX PC, containing a 68010 clocked at a blistering 10 MHz. Next up is the UNIX PC’s bigger brother, the 3B2 400. This is the workstation found on just about every desk at Bell Labs in the 80s, meaning this is the same computer [Ken Thompson] and [Dennis Ritchie] used for their work on UNIX.

 

Continue reading “VCF East: PR1ME And AT&T Unix Boxes”

Retrotechtacular: Bell Labs introduces a thing called ‘UNIX’

dennis

Modern operating systems may seem baroque in their complexity, but nearly every one of them  – except for Windows, natch – are based on the idea of simplicity and modularity. This is the lesson that UNIX taught us, explained perfectly in a little film from Bell Labs in 1982 starring giants of computation, [Dennis Ritchie], [Ken Thompson], [Brian Kernighan], and others.

At the time this film was made, UNIX had been around for about 10 years. In that time, it had moved far from an OS cloistered in giant mainframes attached to teletypes to slightly smaller minicomputers wired up to video terminals. Yes, smallish computers like the Apple II and the VIC-20 were around by this time, but they were toys compared to the hulking racks inside Bell Labs.

The film explains the core concept of UNIX by demonstrating modularity with a great example by [Brian Kernighan]. He took a short passage from a paper he wrote and found spelling errors by piping his paper though different commands from the shell. First the words in the paper were separated line by line, made lowercase, and sorted alphabetically. All the unique words were extracted from this list, and compared to a dictionary. A spell checker in one line of code, brought to you by the power of UNIX.

Rooting your AT&T U-verse modem

Unhappy with the performance of his U-verse modem [Jordan] decided to dig in and see if a bit of hacking could improve the situation. Motorola makes this exclusively for AT&T and there are no other modems on the market which can used instead. Luckily he was able to fix almost everything that was causing him grief. This can be done in one of two ways. The first is a hardware hack that gains access to a shell though the UART. The second is a method of rooting the device from its stock web interface.

We think the biggest improvement gained by hacking this router is true bridge mode. The hardware is more than capable of behaving this way but AT&T has disabled the feature with no option for an unmodified device to use it. By enabling it the modem does what a modem is supposed to do: translate between WAN and LAN. This allows routing to be handled by a router (novel idea huh?).