Yik Yak MITM Hack (Give the Dog a Bone)

Yik Yak is growing in popularity lately. If you are unfamiliar with Yik Yak, here’s the run down. It’s kind of like Twitter, but your messages are only shared with people who are currently within a few miles of you. Also, your account is supposed to be totally anonymous. When you combine anonymity and location, you get some interesting results. The app seems to be most popular in schools. The anonymity allows users to post their honest thoughts without fear of scrutiny.

[Sanford Moskowitz] decided to do some digging into Yik Yak’s authentication system. He wanted to see just how secure this “anonymous” app really is. As it turns out, not as much as one would hope. The primary vulnerability is that Yik Yak authenticates users based solely on a user ID. There are no passwords. If you know the user’s ID number, it’s game over.

The first thing [Sanford] looked for was an encrypted connection to try to sniff out User ID’s. It turned out that Yik Yak does actually encrypt the connection to its own servers, at least for the iPhone app. Not to worry, mobile apps always connect to other services for things like ad networks, user tracking, etc. Yik Yak happens to make a call to an analytics tool called Flurry every time the app is fired. Flurry needs a way to track the users for Yik Yak, so of course the Yik Yak App tells Flurry the user’s ID. What other information would the anonymous app have to send?

Unfortunately, Flurry disables HTTPS by default, so this initial communication is in plain text. That means that even though Yik Yak’s own communications are protected, the User ID is still exposed and vulnerable. [Sanford] has published a shell script to make it easy to sniff out these user ID’s if you are on the same network as the user.

Once you have the user ID, you can take complete control over the account. [Sanford] has also published scripts to make this part simple. The scripts will allow you to print out every single message a user has posted. He also describes a method to alter the Yik Yak installation on a rooted iPhone so that the app runs under the victim’s user ID. This gives you full access as if you owned the account yourself.

Oh, there’s another problem too. The Android app is programmed to ignore bad SSL certificates. This means that any script kiddie can perform a simple man in the middle attack with a fake SSL certificate and the app will still function. It doesn’t even throw a warning to the user. This just allows for another method to steal a user ID.

So now you have control over some poor user’s account but at least they are still anonymous, right? That depends. The Yik Yak app itself appears to keep anonymity, but by analyzing the traffic coming from the client IP address can make it trivial to identify a person. First of all, [Sanford] mentions that a host name can be a dead giveaway. A host named “Joe’s iPhone” might be a pretty big clue. Other than that, looking out for user names and information from other unencrypted sites is easy enough, and that would likely give you everything you need to identify someone. Keep this in mind the next time you post something “anonymously” to the Internet.

[via Reddit]

Finding a Shell in a Bose SoundTouch

Bose, every salesperson’s favorite stereo manufacturer, has a line of WiFi connected systems available. It’s an impressively innovative product, able to connect to Internet Radio, Pandora, music libraries stored elsewhere on the network. A really great idea, and since this connects to a bunch of web services, you just know there’s a Linux shell in there somewhere. [Michael] found it.

The SoundTouch is actually rather easy to get into. The only real work to be done is connecting to port 17000, turning remote services on, and then connecting with telnet. The username is root.

The telnet service on port 17000 is actually pretty interesting, and we’re guessing this is what the SoundTouch iOS app uses for all its wizardry. [Michael] put a listing of the ‘help’ command up on pastebin, and it looks like there are commands for toggling GPIOs, futzing around with Pandora, and references to a Bluetooth module.

Interestingly, when [Michael] first suspected there could be Linux inside this box, he contacted Bose support for any information. He figured out how to get in on his own, before Bose emailed him back saying the information is proprietary in nature.

Getting a Shell on any Android Device

If you’re an Evil Customs Agent or other nefarious Three Letter Agency Person, you’re probably very interesting in getting data off people’s phones. Even if the screen is locked, there’s a way around this problem: just use the Android Debug Bridge (ADB), a handy way to get a shell on any Android device with just a USB cable. The ADB can be turned off, though, so what is the Stasi to do if they can’t access your phone over ADB? [Michael Ossmann] and [Kyle Osborn] have the answer that involves a little-known property of USB devices.

USB mini and micro plugs have five pins – power, ground, D+, D-, and an oft-overlooked ID pin. With a particular resistance between this ID pin and ground, the USB multiplexor inside your phone can allow anyone with the proper hardware to access the state of the charger, get an audio signal, mess around with the MP3s on your device, or even get a shell.

To test their theory, [Michael] and [Kyle] rigged up a simple USB plug to UART adapter (seen above) that included a specific value of resistor to enable a shell on their test phone. Amazingly, it worked and the thought of having a secure phone was never had again.

The guys went farther with some proprietary Samsung hardware that could, if they had the service manual, unlock any samsung phone made in the last 15 years. They’re working on building a device that will automagically get a shell on any phone and have built some rather interesting hardware. If you’re interested in helping them out with their project, they have a project site up with all the information to get up to speed on this very ingenious hack.

Continue reading “Getting a Shell on any Android Device”

Crash course in HTML manipulation from a shell script

Automating something involving data from the Internet can be confusing when it comes to pages generated by user input. For instance, let’s say you want to scrape data from a page that loads after using a search box. [Andrew Peng] posted a quick and dirty example to help you write your own scripts. The example he used checks stock on one of the websites he frequents. His process outlines finding the link that all searches are submitted to, establishing the method used to send the search string, and grabbing the resulting data. He parses it and sends off an email if it finds what he’s looking for. But this could be used for a lot of things, and it shouldn’t be a problem to make it alert you in any way you can imagine. Maybe we’ll use this to add some functionality to our rat.

Nexus one gets Linux

Considering how hackable the Nexus One is already, we can only imagine a whole new host of interesting things thanks to Ubuntu running on the device. [Max Lee] set his heart out on getting not just Ubuntu on the Nexus One, but also Debian, and he wrote a perfect install guide to help out those wanting to give it a shot.

He cheated a little bit by having Ubuntu run in the background while the X11 interface is simply VNCed, but he still did an awesome job with plenty of pictures and details to help you achieve Ubuntu on your Nexus One.

Arduino command interpreter shell

F77LQEPFYTCLILR.MEDIUM

A lot of people like fancy GUIs and nice graphics, but some of us just feel more at home in a command prompt. [nevdull] is one of those people. Instead of just using the Arduino dev tools that are available for download, he wanted the ability to shell into his Arduino, so he created AVR Shell. AVR Shell is a UNIX-like shell that allows you to “log in” to your Arduino/AVR and see what’s really going on; letting you read registers, scale the CPU speed, create/edit/delete variables, and even set up timers. The shell is even user-customizable! Those of you interested in Arduino shells might also check out bitlash, another open source CLI. Someone ought to hook this up to the Internet enabled Furby and get Flite compiled on there, letting us shell into a Furby from miles away to make it talk.

[Thanks Leesam]

Take command of your BASH prompt

color_bash_prompt

[Joshua] has put together a list of BASH prompt customizations. The command prompt is used in a command-line interface to show that the system is ready for the next command. Often times this is nothing more than a user name, host name, and working directory:

mike@krusty:~$

[Joshua’s] customization examples can be used to color code the information in your prompt, change what information is displayed, and make the prompt respond differently when an invalid command is typed. A BASH prompt reference is helpful in deciphering what each of these commands do. The easiest simplification is to understand that non-printing characters (such as color codes) are surrounded in escaped square brackets. For example, line 1 is the sequence for Red, line 2 is the sequence for Dark Grey, and line 3 sets a simple prompt to display in Red and all text after that to be in Dark Grey:

\[\e[0;31m\]
\[\e[1;33m\]
PS1="\[\e[0;31m\]\u@\h:\w\$ \[\e[1;30m\]"

Continue reading “Take command of your BASH prompt”