By now you’ve doubtless heard that the FBI has broken the encryption on Syed Farook — the suicide terrorist who killed fourteen and then himself in San Bernardino. Consequently, they won’t be requiring Apple’s (compelled) services any more.
A number of people have written in and asked what we knew about the hack, and the frank answer is “not a heck of a lot”. And it’s not just us, because the FBI has classified the technique. What we do know is that they paid Cellebrite, an Israeli security firm, at least $218,004.85 to get the job done for them. Why would we want to know more? Because, broadly, it matters a lot if it was a hardware attack or a software attack.
Continue reading “FBI vs Apple: A Postmortem”
App development is not fun for everyone, and sometimes you just want to control a device from your phone with minimal work. Blynk appears to be a fairly put-together library for not only hooking up any Arduino or esp8266 to a phone through WiFi, but also through the net if desired.
Install the app onto your iPhone or Android device. Install the libraries on your computer. Next, modify your Arduino source to either pass direct control of a pin to Blynk, or connect Blynk to a virtual pin inside your code for more advanced control. If you want to go the easy route, create an account, log into the app, and drag and drop the interface you’d like. If the idea of letting some corporation host your Arduino project sends shivers down your spine, there is also an option to host your own server. (Editorial snark: Yes, it requires a server. That’s the cost of “simplicity”.)
There have been a few times where we’ve wished we could add app control to our projects, but installing all the libraries and learning a new language just to see a button on a screen didn’t seem worth it. This is a great solution. Have any of you had experience using it?
Smartphones are the opium of the people. If you need proof, just watch the average person’s reaction when they break “their precious”. Repairing smartphones has become a huge business. The most often broken item on phones is of course the front glass. In most cases, the screen itself doesn’t break. On newer smartphones, even the touchscreen is safe. The front glass is only a protective lens.
The easiest way to repair a broken front glass is to swap the entire LCD assembly. For an iPhone 6 plus, this will run upwards of $120 USD. However, the glass lens alone is just $10. The problem is that the LCD, digitizer and front glass are a laminated package. Removing them without breaking the wafer thin LCD glass requires great care. The hardest part is breaking down the optical glue securing the glass to the LCD. In the past that has been done with heat. More recently, companies from China have been selling liquid-nitrogen-based machines that cool the assembly. Now immersing a phone screen in -196° C liquid nitrogen would probably destroy the LCD. However, these machines use a temperature controller to keep a surface at -140° C. Just enough to cause the glue to become brittle, but not kill the LCD.
[JerryRigEverything] doesn’t have several thousand dollars for a liquid nitrogen machine, but he does have a $5 block of dry ice. Dry ice runs at -78.5°C. Balmy compared to liquid nitrogen, but still plenty cold. After laying the phone screens down on the ice for a few minutes, [Jerry] was able to chip away the glass. It definitely takes more work than the nitrogen method. Still, if you’re not opening your own phone repair shop, we think this is the way to go.
Broken phones are a cheap and easy way to get high-resolution LCD screens for your projects. The problem is driving them. [Twl] has an awesome project on Hackaday.io for driving phone screens using an FPGA. We haven’t seen it done with iPhone 6 yet though. Anyone up for the challenge?
Continue reading “Dry Ice is Nice for Separating Broken Phone Screens”
News comes from The Guardian that the iPhone 6 will break because of software updates due to non-authorized hardware replacements. Several thousand iPhone 6 users are claiming their phones have been bricked thanks to software updates if the home button – and the integrated TouchID fingerprint sensor – were replaced by non-Apple technicians.
For the last few iPhone generations, the TouchID fingerprint sensor has been integrated into the home button of every iPhone. This fingerprint sensor provides an additional layer of security for the iPhone, and like everything on smartphones, there is a thriving market of companies who will fix broken phones. If you walk into an Apple store, replacing the TouchID sensor will cost about $300. This part is available on Amazon for about $10, and anyone with a pentalobe screwdriver, spudger, and fine motor control can easily replace it. Doing so, however, will eventually brick the phone, as software updates render the device inoperable if the TouchID sensor is not authorized by Apple.
According to an Apple spokeswoman, the reason for the error 53 is because the fingerprint data is uniquely paired to the touch ID sensor found in the home button. If the TouchID sensor was substituted with a malicious TouchID sensor, complete and total access to the phone would be easy, providing a forehead-slapping security hole. Error 53 is just Apple’s way of detecting devices that were tampered with.
In fairness to Apple, not checking the authenticity of the touch ID would mean a huge security hole; if fingerprint data is the only thing keeping evil balaclava-wearing hackers out of your phone, simply replacing this sensor would grant them access. While this line of reasoning is valid, it’s also incredibly stupid: anyone can get around the TouchID fingerprint sensor with a laser printer and a bit of glue. If you ever get ahold of the German Defense Minister’s iPhone, the fingerprint sensor isn’t going to stop you.
This is a rare case where Apple are damned if they do, damned if they don’t. By not disabling the phone when the TouchID sensor is replaced, all iPhones are open to a gaping security hole that would send the Internet into a tizzy. By bricking each and every iPhone with a replacement TouchID sensor, Apple gets a customer support nightmare. That said, the $300 replacement cost for the TouchID sensor will get you a very nice Android phone that doesn’t have this problem.
On September 21, “Premium” 0day startup Zerodium put out a call for a chain of exploits, starting with a browser, that enables the phone to be remotely jailbroken and arbitrary applications to be installed with root / administrator permissions. In short, a complete remote takeover of the phone. And they offered $1 million. A little over a month later, it looks like they’ve got their first claim. The hack has yet to be verified and the payout is actually made.
But we have little doubt that the hack, if it’s actually been done, is worth the money. The NSA alone has a $25 million annual budget for buying 0days and usually spends that money on much smaller bits and bobs. This hack, if it works, is huge. And the NSA isn’t the only agency that’s interested in spying on folks with iPhones.
Indeed, by bringing something like this out into the open, Zerodium is creating a bidding war among (presumably) adversarial parties. We’re not sure about the ethics of all this (OK, it’s downright shady) but it’s not currently illegal and by pitting various spy agencies (presumably) against each other, they’re almost sure to get their $1 million back with some cream on top.
We’ve seen a lot of bug bounty programs out there. Tossing “firmname bug bounty” into a search engine of your choice will probably come up with a hit for most
firmnames. A notable exception in Silicon Valley? Apple. They let you do their debugging work for free. How long this will last is anyone’s guess, but if this Zerodium deal ends up being for real, it looks like they’re severely underpaying.
And if you’re working on your own iPhone remote exploits, don’t be discouraged. Zerodium still claims to have money for two more $1 million payouts. (And with that your humble author shrugs his shoulders and turns the soldering iron back on.)
It is hardly news that you can use your smart phone as a really crummy oscilloscope. You can even use it as an audio frequency signal generator. There are also plenty of projects that allow you to buffer signals going in and out of your phone to make these apps more useful and protect your phone’s circuitry to some degree. What caught our eye with [loboat’s] phone oscilloscope project was its construction.
Continue reading “Phone Scope Build Uses Old Optical Drive”
[Nathan] is a mobile application developer. He was recently debugging one of his new applications when he stumbled into an interesting security vulnerability while running a program called Charles. Charles is a web proxy that allows you to monitor and analyze the web traffic between your computer and the Internet. The program essentially acts as a man in the middle, allowing you to view all of the request and response data and usually giving you the ability to manipulate it.
While debugging his app, [Nathan] realized he was going to need a ride soon. After opening up the Uber app, he it occurred to him that he was still inspecting this traffic. He decided to poke around and see if he could find anything interesting. Communication from the Uber app to the Uber data center is done via HTTPS. This means that it’s encrypted to protect your information. However, if you are trying to inspect your own traffic you can use Charles to sign your own SSL certificate and decrypt all the information. That’s exactly what [Nathan] did. He doesn’t mention it in his blog post, but we have to wonder if the Uber app warned him of the invalid SSL certificate. If not, this could pose a privacy issue for other users if someone were to perform a man in the middle attack on an unsuspecting victim.
[Nathan] poked around the various requests until he saw something intriguing. There was one repeated request that is used by Uber to “receive and communicate rider location, driver availability, application configurations settings and more”. He noticed that within this request, there is a variable called “isAdmin” and it was set to false. [Nathan] used Charles to intercept this request and change the value to true. He wasn’t sure that it would do anything, but sure enough this unlocked some new features normally only accessible to Uber employees. We’re not exactly sure what these features are good for, but obviously they aren’t meant to be used by just anybody.