Stealing Cars for 20 Bucks

[Yingtao Zeng], [Qing Yang], and [Jun Li], a.k.a. the [UnicornTeam], developed the cheapest way so far to hack a passive keyless entry system, as found on some cars: around $22 in parts, give or take a buck. But that’s not all, they manage to increase the previous known effective range of this type of attack from 100 m to around 320 m. They gave a talk at HITB Amsterdam, a couple of weeks ago, and shown their results.

The attack in its essence is not new, and it’s basically just creating a range extender for the keyfob.  One radio stays near the car, the other near the car key, and the two radios relay the signals coming from the car to the keyfob and vice-versa. This version of the hack stands out in that the [UnicornTeam] reverse engineered and decoded the keyless entry system signals, produced by NXP, so they can send the decoded signals via any channel of their choice. The only constraint, from what we could tell, it’s the transmission timeout. It all has to happen within 27 ms. You could almost pull this off over Internet instead of radio.

The actual keycode is not cracked, like in a HiTag2 attack. It’s not like hacking a rolling key keyfob either. The signals are just sniffed, decoded and relayed between the two devices.

A suggested fix from the researchers is to decrease this 27 ms timeout. If it is short enough, at least the distance for these types of attacks is reduced. Even if that could eventually mitigate or reduce the impact of an attack on new cars, old cars are still at risk.  We suggest that the passive keyless system is broken from the get-go: allowing the keyfob to open and start your car without any user interaction is asking for it. Are car drivers really so lazy that they can’t press a button to unlock their car? Anyway, if you’re stuck with one of these systems, it looks like the only sure fallback is the tinfoil hat. For the keyfob, of course.

[via Wired]

You Think You Can’t Be Phished?

Well, think again. At least if you are using Chrome or Firefox. Don’t believe us? Well, check out Apple new website then, at https://www.apple.com . Notice anything? If you are not using an affected browser you are just seeing a strange URL after opening the webpage, otherwise it’s pretty legit. This is a page to demonstrate a type of Unicode vulnerability in how the browser interprets and show the URL to the user. Notice the valid HTTPS. Of course the domain is not from Apple, it is actually the domain: “https://www.xn--80ak6aa92e.com/“. If you open the page, you can see the actual URL by right-clicking and select view-source.

So what’s going on? This type of phishing attack, known as IDN homograph attacks, relies on the fact that the browser, in this case Chrome or Firefox, interprets the “xn--” prefix in a URL as an ASCII compatible encoding prefix. It is called Punycode and it’s a way to represent Unicode using only the ASCII characters used in Internet host names. Imagine a sort of Base64 for domains. This allows for domains with international characters to be registered, for example, the domain “xn--s7y.co” is equivalent to “短.co”, as [Xudong Zheng] explains in his blog.

Different alphabets have different glyphs that work in this kinds of attacks. Take the Cyrillic alphabet, it contains 11 lowercase glyphs that are identical or nearly identical to Latin counterparts. These class of attacks, where an attacker replaces one letter for its counterpart is widely known and are usually mitigated by the browser:

Continue reading “You Think You Can’t Be Phished?”

Broken Yoga Becomes Firewall

It seems the older I get, the density of broken and/or old laptops on my garage grows. That’s one of the reasons it’s interesting to know which projects are being made to bring back to life these things. [zigzagjoe] sent us an interesting project he made out of a Lenovo Yoga 2 motherboard: a pfsense router/firewall.

The laptop was damaged, but the main board was functioning just fine. What started as adding an old Pentium heatsink to it and see how good it would work, escalated to a fully working, WiFi, 4 port gigabyte NIC, 3D printed case firewall. The board had PCI-E via an M.2 A/E key slot for the WiFi module but [zigzagjoe] need a normal PCI-E slot to connect the quad-port NIC. He decided to hand solder the M.2 A/E (WiFi card) to have a PCI-E 1x breakout since his searches for an adapter came out empty or too expensive. For storage, he chose 16GB SanDisk U100 Server half-slim SSD for its power efficiency. Once again, the SSD cable had to be hacked as the laptop originally used a super-slim HDD with a non-standard connector. The enclosure was then designed and 3D printed.

But [zigzagjoe] went further to optimize his brand new router/firewall. On the project documentation, we can see a lot of different modifications went into building it, such as bios modification for new WiFi modules to work, an Attiny85 fan driver for extra cooling, a 45W PSU inside the case and other interesting hacks.

This is not your typical laptop to firewall hack, that’s for sure.

Continue reading “Broken Yoga Becomes Firewall”

Pi Time – A Fabric RGB Arduino Clock

Pi Time is a psychedelic clock made out of fabric and Neopixels, controlled by an Arduino UNO. The clock started out as a quilted Pi symbol. [Chris and Jessica] wanted to make something more around the Pi and added some RGB lights. At the same time, they wanted to make something useful, that’s when they decided to make a clock using Neopixels.

Neopixels, or WS2812Bs, are addressable RGB LEDs , which can be controlled individually by a microcontroller, in this case, an Arduino. The fabric was quilted with a spiral of numbers (3.1415926535…) and the actual reading of the time is not how you are used to. To read the clock you have to recall the visible color spectrum or the rainbow colors, from red to violet. The rainbow starts at the beginning of the symbol Pi in the center, so the hours will be either red, yellow, or orange, depending on how many digits are needed to tell the time. For example, when it is 5:09, the 5 is red, and the 9 is yellow. When it’s 5:10, the 5 is orange, the first minute (1) is teal, and the second (0) is violet. The pi symbol flashes every other second.

There are simpler and more complicated ways to perform the simple task of figuring out what time it is…

We are not sure if the digits are lighted up according to their first appearance in the Pi sequence or are just random as the video only shows the trippy LEDs, but the effect is pretty nice:

Continue reading “Pi Time – A Fabric RGB Arduino Clock”

OBD-II Dongle Attack: Stopping a Moving Car via Bluetooth

Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.

Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.

The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device.  The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

Bosch downplays the issue a bit in their statement:

It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.

Is My Password Safe? Practices for People Who Know Better

A couple of weeks back a report came out where [Tavis Ormandy], a widely known security researcher for Google Project-Zero, showed how it was possible to abuse Lastpass RPC commands and steal user passwords. Irony is… Lastpass is a software designed to keep all your passwords safe and it’s designed in a way that even they can’t access your passwords, the passwords are stored locally using strong cryptography, only you can access them via a master-key. Storing all your passwords in only place has its downfalls. By the way, there is no proof or suggestion that this bug was abused by anyone, so if you use Lastpass don’t worry just yet.

But it got me thinking, how worried and how paranoid should a regular Internet user should be about his password? How many of us have their account details exposed somewhere online? If you’ve been around long enough, odds are you have at least a couple of accounts on some major Internet-based companies. Don’t go rushing into the Dark Web and try to find if your account details are being sold. The easiest way to get your paranoia started is to visit Have I Been Pwned. For those who never heard about it, it’s a website created by [Troy Hunt], a well-known security professional. It keeps track of all known public security breaches he can get his hands on and provides an answer to a simple question: “Was my account in any major data leak?” Let’s take a look.

Continue reading “Is My Password Safe? Practices for People Who Know Better”

Modern DIY FM radio

Back in the day, building a DIY radio was fun! We only had to get our hands at a germanium diode, make some coils, and with a resistor and long wire as an antenna maybe we could get some sound out of those old white earplugs. That was back then. Now we have things like the Si4703 FM tuner chip that can tune in FM radio in the 76–108 MHz range, comes with integrated AGC and AFC, controlled by I2C, as well as a bunch of other acronyms which seem to make the whole DIY radio-building process outdated. The challenges of the past resulted in the proven solutions of the present in which we build upon.

This little project by [Patrick Müller] is a modern radio DIY tutorial. With an Arduino Nano as the brains and controller for an Si4703 breakout board, he builds a completely functional and portable FM radio. A small OLED display lets the user see audio volume, frequency, selected station and still has space left to show the current available battery voltage. It has volume control, radio station seek, and four buttons that allows quick access to memorized stations. The source code shows how it is possible to control the Si4703 FM tuner chip to suit your needs.

As for ICs, not everything is new, [Patrick] still used the good old LM386 amp to drive the speaker, which is almost 35 years old by now. As we can listen in the demo video, it can still output some seriously loud music sounds!

Continue reading “Modern DIY FM radio”