Decoding Satellite-based Text Messages with RTL-SDR and Hacked GPS Antenna

[Carl] just found a yet another use for the RTL-SDR. He’s been decoding Inmarsat STD-C EGC messages with it. Inmarsat is a British satellite telecommunications company. They provide communications all over the world to places that do not have a reliable terrestrial communications network. STD-C is a text message communications channel used mostly by maritime operators. This channel contains Enhanced Group Call (EGC) messages which include information such as search and rescue, coast guard, weather, and more.

Not much equipment is required for this, just the RTL-SDR dongle, an antenna, a computer, and the cables to hook them all up together. Once all of the gear was collected, [Carl] used an Android app called Satellite AR to locate his nearest Inmarsat satellite. Since these satellites are geostationary, he won’t have to move his antenna once it’s pointed in the right direction.

Hacked GPS antenna
Hacked GPS antenna

As far as antennas go, [Carl] recommends a dish or helix antenna. If you don’t want to fork over the money for something that fancy, he also explains how you can modify a $10 GPS antenna to work for this purpose. He admits that it’s not the best antenna for this, but it will get the job done. A typical GPS antenna will be tuned for 1575 MHz and will contain a band pass filter that prevents the antenna from picking up signals 1-2MHz away from that frequency.

To remove the filter, the plastic case must first be removed. Then a metal reflector needs to be removed from the bottom of the antenna using a soldering iron. The actual antenna circuit is hiding under the reflector. The filter is typically the largest component on the board. After desoldering, the IN and OUT pads are bridged together. The whole thing can then be put back together for use with this project.

Once everything was hooked up and the antenna was pointed in the right place, the audio output from the dongle was piped into the SDR# tuner software. After tuning to the correct frequency and setting all of the audio parameters, the audio was then decoded with another program called tdma-demo.exe. If everything is tuned just right, the software will be able to decode the audio signal and it will start to display messages. [Carl] posted some interesting examples including a couple of pirate warnings.

If you can’t get enough RTL-SDR hacks, be sure to check out some of the others we’ve featured in the past. And don’t forget to send in links to your own hacking!

Fooling Google Search Console With Tricky PHP

When [Steve] received a notice from Google that a new owner had been added to his Google Search Console account, he knew something was wrong. He hadn’t added anyone to his account. At first he thought it might be a clever phishing tactic. Maybe the email was trying to get him to click a malicious link. Upon further investigation, he discovered that it was legitimate. Some strange email address had been added to his account. How did this happen?

When you want to add a website to Google’s services, they require that you prove that you own the actual website as a security precaution. One method to provide proof is by uploading or creating an HTML file to your website with some specific text inside. In this case, the file needed to be called “google1a74e5bf969ded17.html” and it needed to contain the string “google-site-verification: googlea174e5bf969ded17.html”.

[Steve] logged into his web server and looked in the website directory but he couldn’t find the verification file. Out of curiosity, he tried visiting the web page anyways and was surprised to find that it worked. After some experimentation, [Steve] learned that if he tried to load any web page that looked like “googleNNNNNNN.html”, he would be presented with the corresponding verification code of “google-site-verification: googleNNNNNNNN.html”. Something was automatically generating these pages.

After further investigation, [Steve] found that some malicious PHP code had been added to his website’s index.php page. Unfortunately the code was obfuscated, so he couldn’t determine exactly what was happening. After removing the new code from the index.php file, [Steve] was able to remove the hacker’s email address from [Steve’s] Google account.

This is a very interesting hack, because not only did it allow this one hacker to add himself to [Steve’s] Google account, but it would also have allowed anyone else to do the same thing. This is because each new hacker would have been able to fool Google’s servers into thinking that they had uploaded the verification file thanks to the malicious PHP code. It makes us think that perhaps Google’s verification system should use a separate randomized string inside of the verification file. Perhaps one that can’t be guessed or calculated based on known variables such as the file name.

Hacking a Thin Client to Gain Root Access

[Roberto] recently discovered a clever way to gain root access to an HP t520 thin client computer. These computers run HP’s ThinPro operating system. The OS is based on Linux and is basically just a lightweight system designed to boot into a virtual desktop image loaded from a server. [Roberto’s] discovery works on systems that are running in “kiosk mode”.

The setup for the attack is incredibly simple. The attacker first stops the virtual desktop image from loading. Then, the connection settings are edited. The host field is filled with garbage, which will prevent the connection from actually working properly. The real trick is in the “command line arguments” field. The attacker simply needs to add the argument “&& xterm”. When the connection is launched, it will first fail and then launch the xterm program. This gives the attacker a command shell running under the context of whichever user the original software is running as.

The next step is to escalate privileges to root. [Roberto] discovered a special command that the default user can run as root using sudo. The “”hpobl” command launches the HP Easy Setup Wizard. Once the wizard is opened, the attacker clicks on the “Thank You” link, which will then load up the HP website in a version of Firefox. The final step is to edit Firefox’s default email program association to xterm. Now when the attacker visits an address like “mailto:test@test.com”, Firefox (running as root) launches xterm with full root privileges. These types of attacks are nothing new, but it’s interesting to see that they still persist even in newer software.

Race Conditions Exploit Granted Free Money on Web Services

[Josip] has been playing around with race conditions on web interfaces lately, finding vulnerabilities on both Facebook and Digital Ocean. A race condition can occur when a piece of software processes multiple threads using a shared resource.

For example, [Josip] discovered that he was able to manipulate page reviews using just a single Facebook account. Normally, a user is permitted to leave just one review for any given Facebook page. This prevents a single user from being able to skew the page’s overall ranking by making a bunch of positive or negative reviews. The trick to manipulating the system was to intercept the HTTP request that submitted the page review. The request was then replayed over and over in a very short amount of time.

Facebook’s servers ended up processing some of these requests simultaneously, essentially unaware that multiple requests had come in so close together. The result was that multiple reviews were submitted, artificially changing the pages overall ranking even though only one review actually showed up on the page for this user. The user can then delete their single review, and repeat this cycle over and over. It took Facebook approximately two months to fix this vulnerability, but in the end it was fixed and [Josip] received a nice bounty.

The Digital Ocean hack was essentially the exact same process. This time instead of hacking page reviews, [Josip] went after some free money. He found that he was able to submit the same promotional code multiple times, resulting in a hefty discount at checkout time. Digital Ocean wasted no time fixing this bug, repairing it within just ten days of the disclosure.

Deleting Facebook Albums Without Permission

[Laxman] was poking around Facebook looking for security vulnerabilities. Facebook runs a bug bounty program which means if you can find a vulnerability that’s serious enough, it can earn you cold hard cash. It didn’t take much for [Laxman] to find one worthy of a bounty.

The graph API is the primary way for Facebook apps to read and write to the Facebook social graph. Many apps use this API, but there are limitations to what it can do. For example, the API is unable to delete users’ photo albums. At least, it’s not supposed to be able too. [Laxman] decided to test this claim himself.

He started by sending a command to delete one of his own albums using a graph explorer access token. His request was denied. The application didn’t have the correct permissions to be able to perform that action. It seemed that Facebook was correct and the API was unable to delete photos. [Laxman] had another trick up his sleeve, though. He noticed that the wording of the response suggested that other apps would have the ability to delete the albums, so he decided to check the Facebook mobile application.

He decided to send the same request with a different token. This time he used a token from the Facebook for Mobile application. This actually worked, and resulted in his photo album being deleted. To take things a step further, [Laxman] sent the same requests, but changed the user’s ID to a victim account he had set up. The request was accepted and processed without a problem. This meant that [Laxman] could effectively delete photo albums from any other user without that user’s consent. The vulnerability did require that [Laxman] had permission to view the album in the first place.

Since [Laxman] is one of the good guys, he sent this bug in to the Facebook team. It took them less than a day to fix the issue and they rewarded [Laxman] $12,500 for his trouble. It’s always nice to be appreciated. The video below shows [Laxman] walking through how he pulled off this hack using Burp Suite. Continue reading “Deleting Facebook Albums Without Permission”

Get Better at Mortal Kombat by Hacking Your PS3 Controller

Fighting games like Mortal Kombat provide you with a variety of different available moves. These include kicks, punches, grabs, etc. They also normally include various combination moves you can perform. These combo moves require you to press the proper buttons in the correct order and also require you to time the presses correctly. [Egzola] realized that he could just hack his controller to simulate the button presses for him. This bypasses the learning curve and allows him to perform more complicated combinations with just the press of a single button.

[Egzola] started by taking apart his Playstation 3 controller. There were two PCB’s inside connected by a ribbon cable. Luckily, each individual pad for this cable was labeled with the corresponding controller button. This made it extremely simple to hack the controller. [Egzola] soldered his own wires to each of these pads. Each wire is a different color. The wires then go to two different connectors to make them easier to hook up to a bread board.

Each wire is then broken out on the breadboard. The signal from each button is run through a 4n25 optoisolator. From there the signal makes its way back to various Arduino pins. The 4n25 chips keeps the controller circuit isolated from the Arduino’s electrical circuit. The Arduino also has two push buttons connected to it. These buttons are mounted to the PS3 controller.

Now when [Egzola] presses one of the buttons, the Arduino senses the button press and simulates pressing the various controller buttons in a pre-programmed order. The result is a devastating combination move that would normally require practice and repetition to remember. You might say that [Egzola] could have spent his time just learning the moves, but that wasn’t really the point was it? Check out the video below for a demonstration. Continue reading “Get Better at Mortal Kombat by Hacking Your PS3 Controller”

Turning A Classic NES Controller Into a Bluetooth Controller

[Pietronet] is like many of us in that he enjoys playing some classic console video games from time to time. He usually plays them on his PC using a Wiimote as a controller. The Wiimote has most of the classic buttons in a comfortable configuration. Plus, it’s got Bluetooth built-in, which makes it easy to pair up to your PC. [Pietronet] decided to take it a step further, though. He managed to cram all of the guts from a Wiimote inside of the original NES controller for a more authentic feel.

The first step was to crack open the Wiimote and locate pads for each button. Once they were located, [Pietronet] used a Dremel to cut the board into a smaller size. He cut off part of the circuit board that contained the directional pad as well as the connector for the nunchuck. Next he had to solder very thin wires to each of the button pads he located earlier.

The original NES controller has a very limited number of buttons, and [Pietronet] wanted to modify the original controller as little as possible. Therefore, he attached a magnetic reed switch to the Wiimote’s sync button. This way if he ever needs to sync the Wiimote to a new console, he can do it by holding a magnet in the right place. This is a function that isn’t often used, so the inconvenience should be negligible.

The next step was to connect the buttons from the original NES controller up to the wires that were added to the Wiimote. [Pietronet] left the original circuit board mostly intact. He did have to cut a small chunk of it away in order to make room for two AAA batteries, but this didn’t affect the functionality of the controller.

The inside of the NES controller had to be cleaned out of various standoffs and plastic bits to make room for all of the extra components. The Wiimote has an LED to indicate that the controller is connected properly. [Pietronet] soldered a red SMD LED in its place on the end of two thin wires. This LED was then placed on the bottom left side of the directional pad. It’s visible through a translucent filter. This allows [Pietronet] to see when the NES controller is synced up properly.

The case fits back together and everything is held in place. The result is what looks and feels like a classic NES controller, only this one has Bluetooth connectivity and a vibration motor. Check out the video demonstration below to get an idea of what it looks like in use. Continue reading “Turning A Classic NES Controller Into a Bluetooth Controller”