[Andrew Robinson] and his co-workers are lucky enough to have a Keurig coffee maker in their office, though they have a hard time keeping track of who owes what to the community coffee fund. Since K-Cups are more expensive than bulk coffee, [Andrew] decided that they needed a better way to log everyone’s drinking habits in order to know who needs to cough up the most cash at the end of the month.

He started by tearing down the Keurig B40, making note of the various PCBs inside while identifying the best way to go about hacking the device. The coffee maker is controlled by a PIC, and rather than try to re-engineer things from the bottom up, he left the core of the machine intact and focused on the control panel instead.

He disconnected all of the unit’s buttons from the control board, routing them through an Arduino before reconnecting them to the machine. This essentially rendered the machine inoperable unless triggered by the Arduino, giving [Andrew] control over the brewing process. He wired in an RFID reader from SparkFun, then got busy coding his security/inventory system. Now, when someone wants coffee, they merely need to swipe their office access card over the machine, which enables the use of its control panel.

As you can see in the video below the system seems to work well. If we were to offer some constructive criticism, we would suggest ditching the laptop and rolling the RFID reading/verification into the Arduino instead – other than that, we think it’s great.

The news was abuzz yesterday with coverage of a study released by Columbia University researchers warning consumers that HP laser printers are wide open to remote tampering and hacking. The researchers claim that the vast majority of printers from HP’s LaserJet line accept firmware updates without checking for any sort of digital authentication, allowing malicious users to abuse the machines remotely. The researchers go so far as to claim that modified firmware can be used to overheat the printer’s fuser, causing fires, to send sensitive documents to criminals, and even force the printers to become part of a botnet.

Officials at HP were quick to counter the claims, stating that all models built in 2009 and beyond require firmware to be digitally signed. Additionally, they say that all of the brand’s laser printers are armed with a thermal cutoff switch which would mitigate the fuser attack vector before any real fire risk would present itself. Despite HP’s statements, the researchers stand by their claims, asserting that vulnerable printers are still available for purchase at major office supply stores.

While most external attacks can easily be prevented with the use of a firewall, the fact that these printers accept unsigned firmware is undoubtedly an interesting one. We are curious to see if these revelations inspire anyone to create their own homebrew LaserJet firmware with advanced capabilities (and low toner warning overrides), or if this all simply fizzles out after a few weeks.

Locks are always temporary hindrances. After deciding to open the RFID-secured lock in his department, [Tixlegeek] built a device to read and spoof RFID tags (French, Google translate here).

The system is built around an ATMega32 microcontroller with a 16×2 LCD display. A commercial RFID reader module takes care of all the sniffing/cloning duties, and a small modulation circuit handles pumping those bits over to a lock. Right now, the spoofer can only handle reading and spoofing 125kHz RFID tags with no encryption or authorization. A tag that’s more complex than the duct tape RFID tag doesn’t work.

[Tixlegeek]‘s little project does open up a few interesting avenues of exploring stuff that’s most certainly illegal. A smaller version of the project could be emplaced near a door or other RFID reader and left to crack a lock with a 32+62 bit password at 125 kilohertz. It wouldn’t be the fastest safecracker in the business, but it would work automatically as long as there is power.

If you’ve got any other ideas on what [Tixlegeek]‘s RFID spoofer could do, leave a note in the comments.

The crew at the Milwaukee Hackerspace are pretty serious about their beer. They used to have a fridge filled with cans, available to all at the hackerspace, but they decided to beef things up and create a secured beer dispensing system.

Like many others we have seen, their kegerator is built into an old refrigerator, complete with a tap built into the door. To ensure that interlopers are kept from their precious brew, they have secured the refrigerator using an Arduino and RFID tags to grant access. They use the same RFID key fobs members carry to gain access to the space for tracking beer consumption, unlocking the tap whenever a valid tag is swiped past the sensor.

They are still in the midst of tweaking and revising the system, but it looks good so far. It’s a great way to keep uninvited guests from their beer stash, while giving them a way to track consumption at the same time. We’re looking forward to seeing more details and code once things are completely wrapped up.

[via BuildLounge]

It seems that [pppd] is always rushing out of his apartment to catch the bus, and he finds himself frequently questioning whether or not he remembered to lock the door. He often doubles back to check, and while he has never actually forgotten to lock the door, he would rather not deal with the worry.

Since he finally had some free time on his hands, he decided to put together a simple device that would help end his worry once and for all. Using an ATtiny13, [pppd] designed a circuit that would detect when his door has been unlocked and opened, beeping every few seconds until the lock is reengaged. The circuit relies on a reed switch installed inside the door frame, which is tripped by the magnet he glued to his door’s deadbolt.

He says that the system works well so far, though he does have a few improvements in mind already.

[Dimitris] decided to build a homemade alarm system, but instead of triggering a siren, sending an SMS message, or Tweeting about an intrusion, he preferred that his system call him when there was trouble afoot. He says that he preferred a call over text messaging because there are no charges associated with the call if the recipient does not pick up the line, which is not the case with SMS.

The system is based around an off the shelf motion detector that was hacked to work with an old mobile phone. The motion detector originally triggered a siren, but he stripped out the speaker and wired it to a bare bones Arduino board he constructed. The Arduino was in turn connected to the serial port of an unused Ericssson T10s mobile phone. This allows the Arduino to call his mobile phone whenever the motion detector senses movement.

The system looks to be quite useful, and while [Dimitris] didn’t include all of the code he used, he says others should be able to replicate his work without too much trouble.

A pair of security researchers have recently unveiled an interesting new keylogging method (PDF Research Paper) that makes use of a very unlikely smartphone component, your gyroscope.

Most smart phones now come equipped with gyroscopes, which can be accessed by any application at any time. [Hao Chen and Lian Cai] were able to use an Android phone’s orientation data to pin down what buttons were being pressed by the user. The attack is not perfect, as the researchers were only able to discern the correct keypress about 72% of the time, but it certainly is a good start.

This side channel attack works because it turns out that each button on a smart phone has a unique “signature”, in that the phone will consistently be tilted in a certain way with each keypress. The pair does admit that the software becomes far less accurate when working with a full qwerty keyboard due to button proximity, but a 10 digit pad and keypads found on tablets can be sniffed with relatively good results.

We don’t think this is anything you should really be worried about, but it’s an interesting attack nonetheless.

[Thanks, der_picknicker]

[Shawn McCombs] is up to no good with his first Teensy project. The board you see above takes the input from a PS2 keyboard and converts it to a USB connection. Oh, and did we mention that it also keeps track of everything you type as well?

From the beginning the project was intended to be a keylogger. It’s a man-in-the-middle device that could be hidden inside the case of a keyboard, making it appear to be a stock USB keyboard. Data is stored to an SD card so an attacker would need to gain access to the hardware after the data he’s targeting has been typed.

It works mostly as [Shawn] expected. He is, however, having trouble handling the CTRL, ALT, Windows, and Caps Lock keys. If this were actually being used maliciously it would be a dead giveaway. Many secure Windows machine require a CRTL-ALT-DELETE keystroke to access the login screen.

As home automation becomes more and more popular, hackers and security experts alike are turning their attention to these systems, to see just how (in)secure they are.

This week at DefCon, a pair of researchers demonstrated just how vulnerable home automation systems can be. Carrying out their research independently, [Kennedy] and [Rob Simon] came to the same conclusion – that manufacturers of this immature technology have barely spent any time or resources properly securing their wares.

The researchers built tools that focus on the X10 line of home automation products, but they also looked at ZWave, another commonly used protocol for home automation communications. They found that ZWare-based devices encrypted their conversations, but that the initial key exchange was done in the open, allowing any interested 3rd party to intercept the keys and decrypt the communications.

While you might initially assume that attacks are limited to the power lines within a single house, [Kennedy] says that the signals leak well beyond the confines of your home, and that he was able to intercept communications from 15 distinct systems in his neighborhood without leaving his house.

[William] Had originally built a little Security Bot to roam the halls of his house while he was not at home. He wanted a little bit more and started Security Bot 2 to include a good pile of sensors and add pan and tilt control to the onboard camera. Thanks to ordering pieces from a “who’s who” list of robotic and electronic hobby shops, the bits and pieces quickly arrived making assembly less tedious.

Packed on board of the 4WD platform are IR switches, IR distanace sensors, line sensors, Ultrasonic sensor, an Xbee (soon to be replaced with a WiFi Shield), pan/tilt brackets/servo, SpeakJet/TTS/Speakers, LCD, battery, serial motor controller, ICSP pocket programmer, Arduino Mega 2560, DSS Circuits Fuel Gauges, plus motors, batteries, camera, leds and a wiimote connection. (whew, that’s a mouth full)

All put together with some perfboards, breakout boards and a lot of jumper wire Security Bot2 is ready to patrol your premises!

While we see plenty of security-related conferences here in the US, our friends across the pond were apparently anxious to hold a large-scale security conference of their own. At the helm of the first ever 44Con are DEF CON Goon [Adrian] and Penetration Tester [Steve Lord]. The pair are quite involved in London’s security community and are looking to bring like-minded individuals together over four days of security talks and workshops.

While 44Con’s list of speakers has been wrapped up, they are still looking for people to help run workshops on the 1st and 2nd of September. They are requesting that any hackers in the area drop them a line if interested.

Taking a look at their site, you can see that they have a nice selection of talks lined up catering to those on the business side of Information Security as well as deep technical discussions about threats and vulnerabilities. If you plan on hitting up the conference, be sure to let us know in the comments section.

When you think about hacking laptops, it’s highly unlikely that you would ever consider the battery as a viable attack vector. Security researcher [Charlie Miller] however, has been hard at work showing just how big a vulnerability they can be.

As we have been discussing recently, the care and feeding of many batteries, big and small, is handled by some sort of microcontroller. [Charlie] found that a 2009 update issued by Apple to fix some lingering MacBook power issues used one of two passwords to write data to the battery controllers. From what he has seen, it seems these same passwords have been used on all batteries manufactured since that time as well. Using this data, he was subsequently able to gain access to the chips, allowing him to remotely brick the batteries, falsify data sent to the OS, and completely replace the stock firmware with that of his own.

He says that it would be possible for an attacker to inject malware into the battery itself, which would covertly re-infect the machine, despite all traditional removal attempts. Of course, replacing the battery would rectify the issue in these situations, but he says that it would likely be the last thing anyone would suspect as the source of infection. While using the battery to proliferate malware or cause irreversible damage to the computer would take quite a bit of work, [Charlie] claims that either scenario is completely plausible.

He plans on presenting his research at this year’s Black Hat security conference in August, but in the meantime he has created a utility that generates a completely random password for your Mac’s battery. He says that he has already contacted Apple to in order to help them construct a permanent fix for the issue, so an official patch may be available in the near future.

[Thanks, Sergio]

[John Boxall] of Little Bird Electronics was thinking about combination locks, and how one might improve or at least change the way these locks work. Traditional combo locks can be implemented in a variety of ways, most of which we are all familiar with. Standard rotary padlock and keypad-based electronic safes work just fine, but he was interested to see how one might implement a single button combination lock.

[John] determined that the best, if not only way, to build this sort of lock would require him to measure button press intervals. In his case he decided to monitor the intervals between his button presses instead, but the concept is the same. He first tested himself to see how accurately he could press and release the button, leaving a one-second space between presses. After looking at the results he determined that he would need to incorporate at least a 10% margin for error into his code in order to compensate for human error.

He then created an Arduino sketch to test his idea, defining a set of key press intervals that could be used to ‘unlock’ his imaginary vault. It worked quite well, as you can see in the video demo below.

Now we’re not suggesting that you lock up your mint condition My Little Pony collection or your illegal arms stash with this type of lock, but it could be useful as an extra failsafe for certain projects/gadgets that you want to keep all to yourself.

As phone systems have evolved over time, the desire to break them and exploit their usage continues to flourish. Just recently, [The Hacker’s Choice (THC)] announced that they had accessed secure data from Vodafone’s mobile phone network last year, via their femtocell product.

The purpose of the femtocell is to extend mobiile network coverage to locations where reception might not be ideal, routing calls to Vodafone’s network via IPSec tunnels. [THC] knew that this meant the femtocells required a high-level of interaction with the carrier’s traditional mobile network, so they started poking around to see what could be exploited.

After gaining administrative access to the femtocell itself using the root password “newsys”, they found that they were able to allow unauthorized users to utilize the service – a simple ToS violation. However, they also had the ability to force any nearby Vodafone subscriber’s phone to use their femtocell. This enabled them to request secret keys from Vodafone, which they could then use to spoof calls and SMS messages from the victim’s phone without their knowledge.

They have been kind enough to release all of the pertinent information about the hack on their wiki for any interested parties to peruse. Now we’re just wondering how long it takes before stateside carriers’ femtocells are exploited in the same fashion.

[Thanks, kresp0]

While it seems that many people are wise to shoulder surfing, keeping a lookout for anyone spying on their passwords, [Haroon] wrote in to remind us that the threat is just as real today as it ever was.

The subjects of his research are touch screen phones and tablets, which utilize on-screen keyboards for data entry. He says that while nearly all password entry boxes on these devices are obscured with the traditional line of asterisks, the keyboards themselves are quite an interesting vulnerability.

Since touch screen technology can be finicky at times, most vendors ship their devices with some sort of key press verification system. On the iPhone and iPad, for instance, each key is highlighted in blue following a button press. This functionality makes it quite easy for shoulder surfers to casually steal your password if you’re not paying attention.

But what if you are well aware of your surroundings? [Haroon] has developed a piece of software he calls shoulderPad, which is based on openCV that does the surfing for him. The application can monitor a video stream, live or recorded, extracting the user’s password from the highlighted button presses. His demonstrations show the recording taking place at a relatively close distance, but he says that it would be quite easy to use surveillance footage or zoom lenses to capture key presses from afar.

He does say that the button highlighting can be easily disabled in the iPhone’s options pane, which should negate this sort of attack for the most part.

Continue reading to see a quick video of shoulderPad in action.