Arduino + Software Defined Radio = Millions of Vulnerable Volkswagens

As we’ve mentioned previously, the integrity of your vehicle in an era where even your car can have a data connection could be a dubious bet at best. Speaking to these concerns, a soon-to-be published paper (PDF) out of the University of Birmingham in the UK, states that virtually every Volkswagen sold since 1995 can be hacked and unlocked by cloning the vehicle’s keyfob via an Arduino and software defined radio (SDR).

The research team, led by [Flavio Garcia], have described two main vulnerabilities: the first requires combining a cyrptographic key from the vehicle with the signal from the owner’s fob to grant access, while the second takes advantage of the virtually ancient HiTag2 security system that was implemented in the 1990s. The former affects up to 100 million vehicles across the Volkswagen line, while the latter will work on models from Citroen, Peugeot, Opel, Nissan, Alfa Romero, Fiat, Mitsubishi and Ford.

Continue reading “Arduino + Software Defined Radio = Millions of Vulnerable Volkswagens”

Unexpected Betrayal From Your Right Hand Mouse

Some people really enjoy the kind of computer mouse that would not be entirely out of place in a F-16 cockpit. The kind of mouse that can launch a browser with the gentle shifting of one of its thirty-eight buttons ever so slightly to the left and open their garage door with a shifting to the right of that same button. However, can this power be used for evil, and not just frustrating guest users of their computer?

We’ve heard of the trusted peripheral being repurposed for nefarious uses before. Sometimes they’ve even been modified for more benign purposes. All of these have a common trend. The mouse itself must be physically modified to add the vulnerability or feature. However, the advanced mice with macro support can be used as is for a vulnerability.

The example in this case is a Logitech G-series gaming mouse. The mouse has the ability to store multiple personal settings in its memory. That way someone could take the mouse to multiple computers and still have all their settings available. [Stefan Keisse] discovered that the 100 command limit on the macros for each button are more than enough to get a full reverse shell on the target computer.

Considering how frustratingly easy it can be to accidentally press an auxiliary button on these mice, all an attacker would need to do is wait after delivering the sabotaged mouse. Video of the exploit after the break.

Continue reading “Unexpected Betrayal From Your Right Hand Mouse”

LastPass Happily Forfeits Passwords to Simple Javascript

Lastpass is a great piece of software when it comes to convenience, but a recent simple hack shows just how insecure software like it can be. [Mathias Karlsson] nabbed a nice $1000 bounty for its discovery.

Lastpass’s auto-fill works by injecting some html into the website you’re visiting. It runs a bit of Javascript to parse the URL. However, the parsing script was laughably vague. By changing the URL of the page, inserting a few meaningless-to-the server slugs into the URL, an attacker could get Lastpass to give it a password and username combo for any website.

The discussion in the HackerNews comment section more-or-less unilaterally agreed that most systems like this have their glaring flaws, but that the overall benefits of having secure passwords generated and managed by software was still worth the risk when compared to having a few commonly reused passwords over multiple sites.

One could get a more secure key manager by using software like KeePass, but it’s missing some of the convenience factor of remote-based services and relies on a user protecting their key files adequately.

Still, as scary as they are, openly discussing hacks like this after responsible disclosure is good because they force companies like Lastpass, who have some very big name clients, to take their code review and transparency more seriously.

Root on the Philips Hue IoT Bridge

Building on the work of others (as is always the case!) [pepe2k] managed to get root access on the Philips Hue Bridge v2 IoT light controller. There’s nothing unusual here, really. Connect to the device over serial, interrupt the boot process, boot up open firmware, dump the existing firmware, and work the hacker magic from there.

Of course, the details are the real story. Philips had set U-Boot to boot the firmware from flash in zero seconds, not allowing [pepe2k] much time to interrupt it. So he desoldered the flash, giving him all the time in the world, and allowing him to change the boot delay. Resoldering the flash and loading up his own system let him dump the firmware.

The “hacker magic” glossed over in the intro consisted of poking around until he found a script that was called on every boot. This is how [pepe2k] gets around not knowing the root password. The script compares the hash of the typed password with an environment variable, set with the hash of the correct password. Changing that environment variable to the hash of his favorite password (“root”) made him master of the box.

And just in case you’re one of the few Hackaday readers who doesn’t understand why we do these things, besides the fact that it’s just fun, consider Philips’ (eventually retracted) clampdown on the interoperability of this very device, or Google’s red bricks. The fatal flaw of IoT devices is that they place you at the whims of companies who may decide that they’re not making enough money any more, and shut them down. Keep your hacking skills sharp.

Thanks [Jan] for the great tip!

[HomoFaciens] Shows Off With DIY Paper Printer

[HomoFaciens] is always making us feel silly about our purchases. Did we really need to buy a nice set of stepper motors for that automation project? Couldn’t we have just used some epoxy and a threaded rod to make an encoder? Did we need to spend hours reading through the documentation for an industrial inkjet head? Couldn’t we just have asked ourselves, “What would [HomoFaciens] do?” and then made a jailhouse tattoo gun attached to a broken printer carriage and some other household tech trash?

In his continuing work for his Hackaday prize entry, which we have covered before, his latest is a ink (…drop? ) printer. We think the goal is a Gingery book for CNC.  He begins to combine all his previous work into a complete assembly. The video, viewable after the break, starts by explaining the function of a salvaged printer carriage. A motor attached to a belt moves the carriage back and forth; the original linear encoder from the printer is used for positional feedback.

The base of the printer is a homemade y-carriage with another salvaged printer motor and encoder driving a threaded rod. The positional feedback for this axis is provided by a optical mouse gliding on a sheet of graph paper.  The printer nozzle is a cup of ink with a solenoid actuated needle in it. When the needle moves in a hole at the bottom, it dispenses ink.

As always, [HomoFaciens] makes something that is the very definition of a hack. Commenters will have to go elsewhere to leave their favorite debasement.

Continue reading “[HomoFaciens] Shows Off With DIY Paper Printer”

Threadless Ballscrew for 3D Printer

[2n2r5] posted up a mechanism that we’d never seen before — a threadless ballscrew that turns rotational into linear motion with no backlash. It works by pressing the edge of three bearings fairly hard up against a smooth rod, at an angle. The bearings actually squeeze the rod a little bit, making a temporary indentation in the surface that works just like a screw thread would. As the bearings roll on, the rod bounces back to its original shape. Watch it in action in the video below.

Continue reading “Threadless Ballscrew for 3D Printer”

This Teddy Bear Steals Your Ubuntu Secrets

Ubuntu just came out with the new long-term support version of their desktop Linux operating system. It’s got a few newish features, including incorporating the “snap” package management format. One of the claims about “snaps” is that they’re more secure — being installed read-only and essentially self-contained makes them harder to hack across applications. In principle.

[mjg59] took issue with their claims of increased cross-application security. And rather than just moan, he patched together an exploit that’s disguised as a lovable teddy bear. The central flaw is something like twenty years old now; X11 has no sense of permissions and any X11 application can listen in on the keyboard and mouse at any time, regardless of which application the user thinks they’re providing input to. This makes writing keylogging and command-insertion trojans effortless, which is just what [mjg59] did. You can download a harmless version of the demo at [mjg59]’s GitHub.

This flaw in X11 is well-known. In some sense, there’s nothing new here. It’s only in light of Ubuntu’s claim of cross-application security that it’s interesting to bring this up again.

xeyes

And the teddy bear in question? Xteddy dates back from when it was cool to display a static image in a window on a workstation computer. It’s like a warmer, cuddlier version of Xeyes. Except it just sits there. Or, in [mjg59]’s version, it records your keystrokes and uploads your passwords to shady underground characters or TLAs.

We discussed Snappy Core for IoT devices previously, and we think it’s a step in the right direction towards building a system where all the moving parts are only loosely connected to each other, which makes upgrading part of your system possible without upgrading (or downgrading) the whole thing. It probably does enhance security when coupled with a newer display manager like Mir or Wayland. But as [mjg59] pointed out, “snaps” alone don’t patch up X11’s security holes.