Facedancer board lets your Python programs pretend to be USB hardware

This is the prototype board for [Travis Goodspeed's] new USB development tool called the Facedancer. He took on the design with USB security exploits in mind, but we think it’s got a lot of potential for plain old development as well.

Kudos on the [Frank Herbert] reference when naming the project. Like the characters from the Dune mythology that can perfectly mimic any person they touch, this device let’s you mimic whatever you can imagine. One the USB ports connects to the victim (or host) the other connects to a development machine. Python can then be used to send USB commands in real time. Think of this as doing the same thing the Bus Pirate does for SPI and i2c, except that it’s doing it on the USB protocol itself. This way you can feel your way through all of the road-bumps of developing a new device (or testing an exploit) without the need to continually compile and flash your hardware.

Sony Google TV devices running unsigned kernels

The proud cry of “I am root” rings true once again, this time on Sony Google TV devices. Although a low-level exploit was found on previous firmware versions, a downgrade process lets you run unsigned kernels on updated TV or Bluray models of the Internet streaming devices.

These systems are Android-based, which currently run version 3.1 Honeycomb. This version patches the previous exploit, but with three different USB sticks you can downgrade, exploit, and upgrade to an altered and unsigned hack of the most recent kernel. This gives you the root access you may have been longing for, but other than the features discussed in the forum thread there’s not a whole lot of changes rolled into the exploit yet.

We’re always looking out for open source projects running on living-room devices and hope that someday we’ll see a branch of XBMC for the GTV. Until then we’ll just have to keep our fingers crossed for the viability of a RaspberryPI XBMC.

The future of cyberattacks

[Dino A. Dai Zovi] gave a talk in the earlier part of 2010 where he shares his thoughts on the future of malicious exploits. You can watch it on Ustream and he’s also posted a set of slides (PDF) that goes along with it. We find the 48 minute video to be quite interested. Instead of going into mundane detail, he covers the broader picture; what has been done in the past, what will happen in the future, and how are we currently ill-equipped to respond to future threats? That last question is covered throughout the video, but seems to come back to the concept that we are stuck in a rut of terminology and past practice that is impeding our ability to innovate security strategies at the same rate that the bad guys are coming up with the next nasty thing to come down the pipeline.

The new Apple TV

You’ve probably already heard about the Apple TV 2. It retails for $99 and packs a punch with HD video, optical audio, and WiFi in that tiny package. But as always, we like it for its hackability. Even though it’s just starting to ship, the hacks are already rolling in. The firmware is available from Apple’s servers and has already been unlocked with the yet-to-be-release SHAtter exploit. [Das_coach] even sent us a link to a video of the new Frontrow ported for the iPod touch (embedded after the break).

But the holy grail has to be XBMC. We’ve seen it on the first generation Apple TV and it was good. The second generation switches to the A4 processor which is an ARM Cortex-A8. Not quite as easy to port for as the Intel chip on the first generation was. But there is hope, one of the 2010 Google Summer of Code projects worked to port XBMC to another ARM device, it’s just a matter of inspiring some developers to take on the quest to make it happen. We can’t wait for the day that we can just velcro one of these to the back of our TV and be done with it, that first generation Xbox isn’t going to last forever.

[Read more...]

DRM causes vulnerabilities

This image is from Microsoft's DRM page.

We often hear people touting the evilness of DRM, but usually they are talking about the idea of ownership. In this case, DRM is actually causing harm. It turns out that Microsoft’s msnetobj.dll, which is supposed to enforce DRM on your computer, stopping you from doing certain things like saving files you don’t “own” is open to 3 attacks.  Vulnerable to buffer overflow, integer overflow, and denial of service, this sucker is riddled with issues.

The vulnerabilities in this file aren’t groundbreaking. Buffer overflow is a common method to get to many systems. The problem here, according to some commenters at BoingBoing, is the fact that this DLL is called every time you open a media file.

[via BoingBoing]

PSGroove on a PIC microcontroller

There’s now a method of using PIC microcontrollers to exploit the PlayStation 3. This is centered around a PIC 18F2550 which has been popular in past hacks because of its built-in USB serial port. This again makes use of the PSGroove open source exploit code and, like the TI calculator version, seeks to expand the selection of hardware the code runs on.

In addition to the chip and a PIC programmer you’ll need the CCS compiler as others cannot successfully compile this code. A licensed copy is necessary because the demo version of the CCS compiler doesn’t support this particular chip. Add to that the fact that because of the timing it may take several tries to achieve the exploit and you may find yourself disappointed by this development. But there’s always room for improvement and this is a proven first step on the new architecture.

[Thanks das_coach via PS3Hax via Elotrolado]

PS3 exploit released

You can now download the exploit package for the PlayStation 3. [Geohot] just posted the code you need to pull off the exploit we told you about on Sunday, making it available on a “silver platter” with just a bit of explanation on how it works. He’s located a critical portion of the memory to attack. By allocating it, pointing a whole bunch of code at those addresses, then deallocating it he causes many calls to invalid addresses. At the same time as those invalid calls he “glitches” the memory bus using a button on his FPGA board to hold it low for 40ns. This trips up the hypervisor security and somehow allows read/write access to that section of memory. Gentleman and Ladies, start your hacking. We wish you the best of luck!

[Thanks Phileas]

Follow

Get every new post delivered to your Inbox.

Join 92,278 other followers