Signal sniffing some laundry pay cards

It seems that [Limpkin] was up to no good this weekend. He decided to snoop around inside a smart-card laundry machine. He posted about his larceny  adventure and shared the details about how card security works with this machine.

We’re shocked that the control hardware is not under lock and key. Two screws are all that secures the panel to which this PCB is mounted. We know that machines using coins have a key lock, but perhaps there isn’t much need for that if there’s no currency to steal. [Limpkin] made a pass-through connector for the ribbon cable coming in from the card reader. That’s the rainbow cable you can see above and it’s being fed to his logic sniffer. He used the ‘card detect’ signal as a trigger and captured enough data to take back to his lair for analysis. Using what he found and a Bus Pirate to test the smart card he laid bare all the data that’s being sent and received by the controller.

Live CD for RFID hacking on the go


[Milosch] wrote in to tell us that he has recently released a bootable RFID live hacking system – something he has been diligently working on for quite some time. The live distro can be used for breaking and analyzing MIFARE RFID cards, as well as a reasonable selection of other well-known card formats. The release is based off the Fedora 15 live desktop system, and includes a long list of RFID hacking tools, as well as some applications that allow for NFC tag emulation.

His toolkit also contains a baudline-based LF RFID sniffer package, allowing for a real-time waveform display of low frequency RFID tags. The LF sniffer makes use of a cheap USB sound card, as well as a relatively simple reader constructed from a handful of easy to find components.

We have seen some of [Milosch’s] handiwork before, so we are fairly confident that his toolkit contains just about everything you need to start sniffing and hacking RFID tags. If you’re interested in grabbing a copy of the ISO, just be aware that the live CD is only compatible with 64-bit systems, so older laptops need not apply.

A suitcase for all your wardriving needs

[Corrosion] sent in a tip about the Weaponised Auditing Response System he built inside a suitcase that, “has all the tools (and then some) for a wireless assault”.

The WARS is equipped with two WiFi adapters and two bluetooth adapters for all the wardriving and bluejacking anyone could ever want. [Corrosion] also included a 4 channel, 2.4GHz video scanner for warviewing. Everything runs off of a 12 inch netbook that will eventually run linux, and we’re really liking the 1970s suitcase aesthetic the WARS has – it looks like [Corrosion] is about to step into the set of a Beastie Boys video.

We were wondering about including a long range RFID sniffing antenna (PDF warning) behind the monitor of the suitcase’s monitor and asked [Corrosion] about it. He said it sounded doable, but is out of funds at the moment, so if you know how to build a cheap RFID antenna with a 50 foot range, drop [Corrosion] a line.

There’s a video demo with some stills of the build included after the break.

Continue reading “A suitcase for all your wardriving needs”

IDE bus sniffing and hard drive password recovery


shackspace member [@dop3j0e] found himself in a real bind when trying to recover some data after his ThinkPad’s fingerprint scanner died. You see, he stored his hard drive password in the scanner, and over time completely forgot what it was. Once the scanner stopped working, he had no way to get at his data.

He brainstormed, trying to figure out the best way to recover his data. He considered reverse engineering the BIOS, which was an interesting exercise, but it did not yield any password data. He also thought about swapping the hard drive’s logic board with that of a similar drive, but it turns out that the password is stored on the platters, not the PCB.

With his options quickly running out, he turned to a piece of open-source hardware we’ve covered here in the past, the OpenBench Logic Sniffer. The IDE bus contains 16 data pins, and lucky for [@dop3j0e] the OpenBench has 16 5v pins as well – a perfect match. He wired the sniffer up to the laptop and booted the computer, watching SUMP for the unlock command to be issued. Sure enough he captured the password with ease, after which he unlocked and permanently removed it using hdparm.

Be sure to check out [@dop3j0e’s] presentation on the subject if you are interested in learning more about how the recovery was done.

Enhance your key fob via CAN bus hacking

[Igor] drives a 4th generation Volkswagen Golf, and decided he wanted to play around with the CAN bus for a bit. Knowing that the comfort bus is the most accessible and the safest to toy with, he started poking around to see what he could see (Google translation).

He pulled the trim off one of the rear doors and hooked into the comfort bus with an Arudino and a CAN interface module. He sniffed the bus’ traffic for a bit, then decided he would add some functionality to the car that it was sorely lacking. The car’s windows can all be rolled down by turning the key in any lock for more than a few seconds, however this cannot be done remotely. The functionality can be added via 3rd party modules or through manipulating the car’s programming with some prepackaged software, but [Igor] wanted to give it a go himself.

He programmed the Arduino to listen for longer than normal button presses coming from the remote. Once it detects that he is trying to roll the windows up or down, the Arduino issues the proper window control commands to the bus, and his wish is the car’s command.

It’s a pretty simple process, but then again he has just gotten started. We look forward to seeing what else [Igor] is able to pull off in the future.  In the meantime, continue reading to see a quick video of his handiwork.

If you are interested in seeing what you might be able to do with your own car, check out this CAN  bus sniffer we featured a while back.

Continue reading “Enhance your key fob via CAN bus hacking”

Wireless Sniffing and Jamming of Chronos and iclicker

The ubiquitous presence of wireless devices combined with easy access to powerful RF development platforms makes the everyday world around us a wireless hacker’s playground. Yesterday [Travis Goodspeed] posted an article showing how can be used to sniff wireless traffic and also to jam a given frequency. We’ve previously covered the work of [Travis] in pulling raw data from the IM-ME spectrum analyzer, which also uses

The Texas Instruments Chronos watch dev platform contains a C1110 chip, which among other things can provide accelerometer data from the watch to an interested sniffer. The i>clicker classroom response device (which houses a XE1203F chip) is also wide open to this, yielding juicy info about your classmates’ voting behaviour. There is still some work to be done to improve, and [Travis] pays in beer–not in advance, mind you.

With products like the Chronos representing a move towards personal-area wireless networks, this sort of security hole might eventually have implications to individual privacy of, for example, biometric data–although how that might be exploited is another topic. Related to this idea is that of sniffable RFID card data. How does the increasing adoption of short-range wireless technologies affects us, both for good and bad? We invite you to share your ideas in the comments.

Hacking a hack: disassembly and sniffing of IM-ME binary

It’s fun to pick apart code, but it gets more difficult when you’re talking about binaries. [Joby Taffey] opened up the secrets to one of [Travis Goodspeed’s] hacks by disassembling and sniffing the data from a Zombie Gotcha game binary.

We looked in on [Travis’] work yesterday at creating a game using sprites on the IM-ME. He challenged readers to extract the 1-bit sprites from an iHex binary and that’s what got [Joby] started. He first tried to sniff the LCD data traces using a Bus Pirate but soon found the clock signal was much too fast for the device to reliably capture the signals. After looking into available source code from other IM-ME hacks [Joby] found how the SPI baud rate is set, then went to work searching for that in a disassembly of [Travis’] binary. Once found, he worked through the math necessary to slow down communication from 2.7 Mbit/s to 2400 bps and altered the binary data to match that change. This slower speed is more amenable to the Bus Pirate’s capabilities and allowed him to dump the sprite data as it was sent to the LCD screen.

[Thanks Travis]