Breaking the MintEye CAPTCHA one more time

minteye

A while back we saw the MintEye CAPTCHA system  – an ‘are you human’ test that asks you to move a slider until an image is de-swirled and de-blurred – cracked wide open by exploiting the accessibility option. Later, and in a clever bit of image processing, the MintEye CAPTCHA was broken yet again by coming up with an algorithm to detect if an image is de-swirled and de-blurred.

It appears we’re not done with the MintEye CAPTCHA yet (Russian, translation). Now the MintEye CAPTCHA can be broken without any image processing or text-to-speech libraries. With 31 lines of Java, you too can crack MintEye wide open.

The idea behind the hack comes from the fact that blurred images will be much smaller than their non-blurred counterpart. This makes sense; the less detail in an image, the smaller the file size can be. Well, all the pictures MintEye delivers to your computer – 30 of them, one for each step of swirl and blurring – are the same size, meaning the ‘wrong answer’ images are padded with zeros at the end of the file.

There’s a 31 line program on the build page that shows how to look at thirty MintEye images and find the image with the fewest zeros at the end of the file. This is, by the way, the correct answer for the MintEye CAPTCHA, and has a reproducibility of 100%.

So, does anyone know if MintEye is a publicly traded company? Also, how exactly do you short a stock?

Extracting data with USB HID

sd_adaptor

High security workstations have some pretty peculiar ways of securing data. One of these is disabling any USB flash drives that may find their way into a system’s USB port. Security is a cat and mouse game, so of course there’s a way around these measures. [d3ad0ne] came up with a way of dumping files onto an SD card by using the USB HID protocol.

We’ve seen this sort of thing before where a microcontroller carries an executable to extract data. Previously, the best method was to blink the Caps Lock LED on a keyboard, sending one bit at a time to a micocontroller. [d3ad0ne]‘s build exploits the USB HID protocol, but instead of 1 bit per second, he’s getting about 10kBps.

To extract data from a system, [ d3ad0ne] connects a Teensy microcontroller to the USB port. After opening up Notepad, [ d3ad0ne] mashes the Caps Lock key to force the Teensy to type out a script that can be made into an executable. This executable is a bare-bones application that can send any file back over the USB cable to the Teensy where it’s stored on an SD card. Short of filling the USB ports in a workstation with epoxy, there’s really no way to prevent secure files from leaking out of a computer.

Breaking the minteye captcha again

cap

A few days ago we saw a post from [samuirai] at the Shackspace hackerspace in Stuttgart on breaking the minteye captcha system. Like most other captcha cracks, [samuirai] used the voice accessibility option that provides an audio captcha for blind users. Using the accessibility option is a wonderful piece of work, but [Jack] came up with an even more elegant way to defeat the minteye captcha.

For those unfamiliar, the minteye captcha provides a picture tossed through a swirl filter with a slider underneath. Move the slider left or right to eliminate the swirl and you’ve passed the, “are you human” test. Instead of looking for straight lines, [Jack] came up with a solution that easily defeats the minteye captcha in 23 lines of Python: just minimize the length of all the edges found in the pic.

The idea behind the crack is simply the more you swirl an image, the longer the edges in the image become. Edge detection is a well-studied problem, so the only thing the minteye cracking script needed to do was to move the slider for the captcha from the left to the right and measure the lengths of all the edges.

[Jack] included the code for  image processing part of his crack, fortunately leaving out the part where he returns an answer to the minteye captcha. For that, and a very elegant way to crack a captcha, we thank him.

Brute forcing a GPS PIN

pin

[JJ] picked up a Garmin Nuvi 780 GPS from an auction recently. One of the more frustrating features [JJ] ran into is it’s PIN code; this GPS can’t be unlocked unless a four-digit code is entered, or it’s taken to a ‘safe location’. Not wanting to let his auction windfall go to waste, [JJ] rigged up an automated brute force cracking robot to unlock this GPS.

The robot is built around an old HP scanner and a DVD drive sled to move the GPS in the X and Y axes. A clever little device made out of an eraser tip and a servo taps out every code from 0000 to 9999 and waits a bit to see if the device unlocks. It takes around 8 seconds for [JJ]‘s robot to enter a single code, so entering all 10,000 PINs will take about a day and a half.

Fortunately, the people who enter these codes don’t care too much about the security of their GPS devices. The code used to unlock [JJ]‘s GPS was 0248. It only took a couple of hours for the robot to enter the right code; we’d call that time well spent.

You can check out the brute force robot in action after the break.

[Read more...]

Extracting data with keyboard emulation

A common challenge for computer security specialists is getting data out of a very locked-down system. Of course all network traffic on these test machines is monitored, and burning a CD or writing to a USB Flash drive is out of the question. Where there’s a will there’s a way, so [András] figured out how to extract data from a computer by emulating a keyboard.

Emulating a USB HID device is nothing new; the newest Arduino can do it, as can any AVR with the help of V-USB. [András]‘s build emulates a USB keyboard that can download data from a computer by listening to the NUM, CAPS and SCROLL lock LEDs.

Of course, [András] first needs an app to transmit data through these keyboard status LEDs. To do this, his build carries with it a Windows executable file on the AVR’s Flash memory. After plugging his device into the computer, it writes this program to disk and is then able to send data out through keyboard status LEDs.

It’s not very fast – just over one byte per second – but [András] did manage to extract data from a computer, circumventing just about every anti-leaking solution.

Brute forcing the password on a terribly insecure hard drive

While at work one day, [Marco] was approached by a colleague holding a portable USB hard drive. This hard drive – a Freecom ToughDrive – has a built-in security system requiring a password every time the drive is mounted. Somewhat predictably, the password on this hard drive had been lost, so [Marco] brute forced the password out of this drive.

The Freecom ToughDrive requires a password whenever the drive is plugged in, but only allows 5 attempts before it needs to be power cycled. Entering the passwords was easy to automate, but there was still the issue of unplugging the drive after five failed attempts. [Marco] called upon his friend [Alex] to build a small USB extension cable with a relay inserted into the 5 V line. An easy enough solution after which the only thing needed was the time to crack the password.

The rig successfully guessed the password after 500 attempts, or after cycling the power 100 times. This number is incredibly low for getting a password via brute force, but then again the owner of the hard drive was somewhat predictable as to what passwords they used.

Reading RFID cards from afar easily

RFID hacking has been around for years, but so far all the builds to sniff data out of someone’s wallet have been too large, too small a range, or were much too complicated for a random Joe to build in his workshop. [Adam]‘s RFID sniffer gets around all those problems, and provides yet another reason to destroy all the RFID chips in your credit cards.

The project was inspired by this build that took a much larger RFID reader and turned it into a sniffer capable of covertly reading debit cards and passports from the safety of a backpack or briefcase. [Aaron]‘s build uses a smaller off-the-shelf RFID reader, but he’s still able to read RFID cards from about a foot away.

[Aaron]‘s build is very simple consisting of only an Arduino and SD card reader. [Aaron] is able to capture all the data from an RFID card, write that data to the SD card, and emulate a card using his RFID cloner.

What’s really impressive about the build is that [Aaron] says he’s not a programmer or electrical engineer. His build log is full of self-denegration that shows both how humble [Aaron] is and how easy it is for anyone with the requisite skill set to clone the bank card sitting in your wallet. We don’t know about you, but you might want to line your wallet with aluminum foil from now on.