shackspace member [@dop3j0e] found himself in a real bind when trying to recover some data after his ThinkPad’s fingerprint scanner died. You see, he stored his hard drive password in the scanner, and over time completely forgot what it was. Once the scanner stopped working, he had no way to get at his data.
He brainstormed, trying to figure out the best way to recover his data. He considered reverse engineering the BIOS, which was an interesting exercise, but it did not yield any password data. He also thought about swapping the hard drive’s logic board with that of a similar drive, but it turns out that the password is stored on the platters, not the PCB.
With his options quickly running out, he turned to a piece of open-source hardware we’ve covered here in the past, the OpenBench Logic Sniffer. The IDE bus contains 16 data pins, and lucky for [@dop3j0e] the OpenBench has 16 5v pins as well – a perfect match. He wired the sniffer up to the laptop and booted the computer, watching SUMP for the unlock command to be issued. Sure enough he captured the password with ease, after which he unlocked and permanently removed it using hdparm.
Be sure to check out [@dop3j0e's] presentation on the subject if you are interested in learning more about how the recovery was done.
[Igor] drives a 4th generation Volkswagen Golf, and decided he wanted to play around with the CAN bus for a bit. Knowing that the comfort bus is the most accessible and the safest to toy with, he started poking around to see what he could see (Google translation).
He pulled the trim off one of the rear doors and hooked into the comfort bus with an Arudino and a CAN interface module. He sniffed the bus’ traffic for a bit, then decided he would add some functionality to the car that it was sorely lacking. The car’s windows can all be rolled down by turning the key in any lock for more than a few seconds, however this cannot be done remotely. The functionality can be added via 3rd party modules or through manipulating the car’s programming with some prepackaged software, but [Igor] wanted to give it a go himself.
He programmed the Arduino to listen for longer than normal button presses coming from the remote. Once it detects that he is trying to roll the windows up or down, the Arduino issues the proper window control commands to the bus, and his wish is the car’s command.
It’s a pretty simple process, but then again he has just gotten started. We look forward to seeing what else [Igor] is able to pull off in the future. In the meantime, continue reading to see a quick video of his handiwork.
If you are interested in seeing what you might be able to do with your own car, check out this CAN bus sniffer we featured a while back.
Continue reading “Enhance your key fob via CAN bus hacking”
The ubiquitous presence of wireless devices combined with easy access to powerful RF development platforms makes the everyday world around us a wireless hacker’s playground. Yesterday [Travis Goodspeed] posted an article showing how goodfet.cc can be used to sniff wireless traffic and also to jam a given frequency. We’ve previously covered the work of [Travis] in pulling raw data from the IM-ME spectrum analyzer, which also uses goodfet.cc.
The Texas Instruments Chronos watch dev platform contains a C1110 chip, which among other things can provide accelerometer data from the watch to an interested sniffer. The i>clicker classroom response device (which houses a XE1203F chip) is also wide open to this, yielding juicy info about your classmates’ voting behaviour. There is still some work to be done to improve goodfet.cc, and [Travis] pays in beer–not in advance, mind you.
With products like the Chronos representing a move towards personal-area wireless networks, this sort of security hole might eventually have implications to individual privacy of, for example, biometric data–although how that might be exploited is another topic. Related to this idea is that of sniffable RFID card data. How does the increasing adoption of short-range wireless technologies affects us, both for good and bad? We invite you to share your ideas in the comments.
It’s fun to pick apart code, but it gets more difficult when you’re talking about binaries. [Joby Taffey] opened up the secrets to one of [Travis Goodspeed's] hacks by disassembling and sniffing the data from a Zombie Gotcha game binary.
We looked in on [Travis'] work yesterday at creating a game using sprites on the IM-ME. He challenged readers to extract the 1-bit sprites from an iHex binary and that’s what got [Joby] started. He first tried to sniff the LCD data traces using a Bus Pirate but soon found the clock signal was much too fast for the device to reliably capture the signals. After looking into available source code from other IM-ME hacks [Joby] found how the SPI baud rate is set, then went to work searching for that in a disassembly of [Travis'] binary. Once found, he worked through the math necessary to slow down communication from 2.7 Mbit/s to 2400 bps and altered the binary data to match that change. This slower speed is more amenable to the Bus Pirate’s capabilities and allowed him to dump the sprite data as it was sent to the LCD screen.
[.ronin] built an all-in-one WiFi and Bluetooth sniffer. He used a Nerf rifle as a base and added two Pringles cantennas, a tablet PC, and other various bits to tie it all together. Now he wanders the streets, explaining the device to bewildered passersby. After showing the device at CarolinaCon 2010 (here’s a PDF of his presentation) he stopped by the mall nibbled about 250 Bluetooth devices using SpoofTooph. The software is running on a Fujitsu u810 tablet and he’s making good use of Backtrack 4 during his wireless adventures.
Remote-Exploit.org is releasing Keykeriki, a wireless keyboard sniffer. The project is both open source hardware and software. you can download the files on their site. Right now you can’t get a pre made board, but they plan on releasing one soon. The system can be upgraded with “backpacks” or add on modules. One of these is going to be an LCD that displays the keystrokes of the keyboard you are sniffing. Another is supposed to serve as an interface to your iPhone. Right now it has the ability to decode Microsoft wireless keyboards, but the Logitech pieces should be added soon.
Researchers from Inverse Path showed a couple interesting techniques for sniffing keystrokes at CanSecWest. For their first experiments they used a laser pointed at the shiny back of a laptop. The keystrokes would cause the laptop to vibrate which they could detect just like they would with any laser listening device. They’ve done it successfully from anywhere between 50 to 100 feet away. They used techniques similar to those in speech recognition to determine what sentences were being typed.
In a different attack, they sniffed characters from a PS/2 keyboard by monitoring the ground line in an outlet 50 feet away. They haven’t yet been able to collect more than just single strokes, but expect to get full words and sentences soon. This leakage via power line is discussed in the 1972 Tempest document we posted about earlier. The team said it wasn’t possible with USB or laptop keyboards.