Author: Jonathan Bennett

What to Do When the Botnet Comes Knocking

March 21, 2019 by 25 Comments

“It was a cold and windy night, but the breeze of ill omen blowing across the ‘net was colder. The regular trickle of login attempts suddenly became a torrent of IP addresses, all trying to break into the back-end of the Joomla site I host. I poured another cup of joe, it was gonna be a long night.”

Tech noir aside, there was something odd going on. I get an email from that web-site each time there is a failed login. The occasional login attempt isn’t surprising, but this was multiple attempts per minute, all from different IP addresses. Looking at the logs, I got the feeling they were pulling usernames and passwords from one of the various database dumps, probably also randomly seeding information from the Whois database on my domain.

Continue reading “What to Do When the Botnet Comes Knocking”

Spoiler, Use-After-Free, and Ghidra: This Week in Computer Security

March 13, 2019 by 23 Comments

The past few days have been busy if you’re trying to keep up with the pace of computer security news. Between a serious Chromium bug that’s actively being exploited on Windows 7 systems, the NSA releasing one of their tools as an open source project, and a new Spectre-like speculative execution flaw in Intel processors, there’s a lot to digest.
Continue reading “Spoiler, Use-After-Free, and Ghidra: This Week in Computer Security”

Hack My House: Raspberry Pi as a Touchscreen Thermostat

February 27, 2019 by 35 Comments

Your thermostat is some of the oldest and simplest automation in your home. For years these were one-temperature setting and nothing more. Programmable thermostats brought more control; they’re alarm clocks attached to your furnace. Then Nest came along and added beautiful design and “learning features” that felt like magic compared to the old systems. But we can have a lot more fun. I’m taking my favorite single-board computer, the Raspberry Pi, and naming it keeper of heat (and cool) by building my own touchscreen thermostat.

Mercury thermostats started it all, and were ingenious in their simplicity — a glass capsule containing mercury, attached to a wound bi-metal strip. As the temperature changes, the contraption tilts and the mercury bead moves, making or breaking contact with the wiring. More sophisticated thermostats have replaced the mercury bead with electronics, but the signaling method remains the same, just a simple contact switch.

This makes the thermostat the prime target for an aspiring home automation hacker. I’ve had this particular project in mind for quite some time, and was excited to dive into it with simple raw materials: my Raspberry Pi, a touchscreen, and a mechanical relay board.

Continue reading “Hack My House: Raspberry Pi as a Touchscreen Thermostat”

Hack My House: Garage Door Cryptography Meets Raspberry Pi

February 13, 2019 by 51 Comments

Today’s story is one of victory and defeat, of mystery and adventure… It’s time to automate the garage door. Connecting the garage door to the internet was a must on my list of smart home features. Our opener has internet connection capabilities built-in. As you might guess, I’m very skeptical of connecting a device to the internet when I have no control over the software running on it.

The garage door is controlled by a button hung on the garage wall. There is only a pair of wires, so a simple relay should be all that is needed to simulate the button press from a Raspberry Pi. I wired a relay module to a GPIO on the Pi mounted in the garage ceiling, and wrote a quick and dirty test program in Python. Sure enough, the little relay was clicking happily– but the garage door wasn’t budging. Time to troubleshoot. Does the push button still work? *raises the garage door* yep. How about the relay now? *click…click* nope.

You may have figured out by now, but this garage door opener isn’t just a simple momentary contact push button. Yes, that’s a microcontroller, in a garage door button. This sort of scenario calls for forensic equipment more capable than a simple multimeter, and so I turned to Amazon for a USB oscilloscope that could do some limited signal analysis. A device with Linux support was a must, and Pico Technology fit the bill nicely.

Searching for a Secret We Don’t Actually Need

My 2 channel Picotech oscilloscope, the 2204A, finally arrived, and it was time to see what sort of alien technology was in this garage door opener. There are two leads to the button, a ground and a five volt line. When the button is pressed, the microcontroller sends data back over that line by pulling the 5 V line to ground. If this isn’t an implementation of Dallas 1-wire, it’s a very similar concept.

Continue reading “Hack My House: Garage Door Cryptography Meets Raspberry Pi”

Unlocking God Mode on x86 Processors

February 3, 2019 by 38 Comments

We missed this Blackhat talk back in August, but it’s so good we’re glad to find out about it now. [Christopher Domas] details his obsession with hidden processor instructions, and how he discovered an intentional backdoor in certain x86 processors. These processors have a secondary RISC core, and an undocumented procedure to run code on that core, bypassing the normal user/kernel separation mechanisms.

The result is that these specific processors have an intentional mechanism that allows any unprivileged user to jump directly to root level access. The most fascinating part of the talk is the methodical approach [Domas] took to discover the details of this undocumented feature. Once he had an idea of what he was looking for, he automated the process of checking every possible x86 instruction, looking for the one instruction that allowed running code on that extra core. The whole talk is entertaining and instructional, check it out after the break!

There’s a ton of research poking at the instruction level of complication processors. One of our favorites, also by [Domas], is sandsifter which searches for undocumented instructions.

Continue reading “Unlocking God Mode on x86 Processors”

Starlite: Super Material That Protects Hands from Pesky Blowtorches

December 30, 2018 by 41 Comments

A super-material that’s non-toxic, highly flame resistant, and a good enough insulator, you can literally hold fire in your hand? Our interest was definitely caught by [NightHawkInLight] and his recent video about Starlite, embedded below the break.

Starlite was the brainchild of English hairdresser, [Maurice Ward]. The famous demo was an egg, coated in Starlite, and blasted with a blowtorch for a full 5 minutes. After heating, he cracked the egg to show it still raw. The inventor died in 2011, and apparently the recipe for Starlite died with him.

[NightHawkInLight] realized he had already made something very similar, the Pharoah’s Serpent demonstration, also known as a black snake. In both examples, a carbon foam is produced, providing flame resistance and insulation. A bit of trial and error later, and he’s out doing the original Starlight demo, pointing the blow torch at his hand instead of an egg.

Continue reading “Starlite: Super Material That Protects Hands from Pesky Blowtorches”

Five Year Old Bug Spawns Router Botnet Monster

November 23, 2018 by 38 Comments

In the news has been yet another router botnet. [Hui Wang] and [RootKiter] of 360Netlab announced their discovery of what they call the “BCMUPnP_Hunter” rootkit. They estimate this botnet to be running on over 100,000 routers worldwide.

There are two elements of this story that I found particularly baffling. First, this botnet infects routers using a vulnerability that was first reported by Defensecode over five years ago, in 2013! The second oddity is the wide range of devices that are vulnerable and are now part of the botnet. Dozens of brands and at least 116 models have been found to be infected.

One of the details of this story hasn’t been reported entirely accurately. The bug is not built into the Broadcom chipset. Unlike Spectre and Meltdown, it’s not actually a hardware fault. Broadcom distributes a Software Development Kit (SDK) that enables device manufacturers like D-Link, TP-Link, and Linksys to quickly develop firmware for routers using Broadcom chips. The vulnerability lies in this code, rather than part of the hardware itself.

Continue reading “Five Year Old Bug Spawns Router Botnet Monster”