Author: Rick Osgood

225 Articles

Arris Vulnerability

Bad Code Results In Useless Passwords

December 7, 2014 by 18 Comments

[HeadlessZeke] was excited to try out his new AT&T wireless cable box, but was quickly dismayed by the required wireless access point that came bundled with it. Apparently in order to use the cable box, you also need to have this access point enabled. Not one to blindly put unknown devices on his network, [HeadlessZeke] did some investigating.

The wireless access point was an Arris VAP2500. At first glance, things seemed pretty good. It used WPA2 encryption with a long and seemingly random key. Some more digging revealed a host of security problems, however.

It didn’t take long for [HeadlessZeke] to find the web administration portal. Of course, it required authentication and he didn’t know the credentials. [HeadlessZeke] tried connecting to as many pages as he could, but they all required user authentication. All but one. There existed a plain text file in the root of the web server called “admin.conf”. It contained a list of usernames and hashed passwords. That was strike one for this device.

[HeadlessZeke] could have attempted to crack the passwords but he decided to go further down this rabbit hole instead. He pulled the source code out of the firmware and looked at the authentication mechanism. The system checks the username and password and then sets a cookie to let the system know the user is authenticated. It sounds fine, but upon further inspection it turned out that the data in the cookie was simply an MD5 hash of the username. This may not sound bad, but it means that all you have to do to authenticate is manually create your own cookie with the MD5 hash of any user you want to use. The system will see that cookie and assume you’ve authenticated. You don’t even have to have the password! Strike two.

Now that [HeadlessZeke] was logged into the administration site, he was able to gain access to more functions. One page actually allows the user to select a command from a drop down box and then apply a text argument to go with that command. The command is then run in the device’s shell. It turned out the text arguments were not sanitized at all. This meant that [HeadlessZeke] could append extra commands to the initial command and run any shell command he wanted. That’s strike three. Three strikes and you’re out!

[HeadlessZeke] reported these vulnerabilities to Arris and they have now been patched in the latest firmware version. Something tells us there are likely many more vulnerabilities in this device, though.

[via Reddit]

amazonfiretv

Amazon Fire TV Update Bricks Hacked Devices

December 7, 2014 by 60 Comments

The Amazon Fire TV is Amazon’s answer to all of the other streaming media devices on the market today. Amazon is reportedly selling these devices at cost, making very little off of the hardware sales. Instead, they are relying on the fact that most users will rent or purchase digital content on these boxes, and they can make more money in the long run this way. In fact, the device does not allow users to download content directly from the Google Play store, or even play media via USB disk. This makes it more likely that you will purchase content though Amazon’s own channels.

We’re hackers. We like to make things do what they were never intended to do. We like to add functionality. We want to customize, upgrade, and break our devices. It’s fun for us. It’s no surprise that hackers have been jail breaking these devices to see what else they are capable of. A side effect of these hacks is that content can be downloaded directly from Google Play. USB playback can also be enabled. This makes the device more useful to the consumer, but obviously is not in line with Amazon’s business strategy.

Amazon’s response to these hacks was to release a firmware update that will brick the device if it discovers that it has been rooted. It also will not allow a hacker to downgrade the firmware to an older version, since this would of course remove the root detection features.

This probably doesn’t come as a surprise to most of us. We’ve seen this type of thing for years with mobile phones. The iPhone has been locked to the Apple Store since the first generation, but the first iPhone was jailbroken just days after its initial release. Then there was the PlayStation 3 “downgrade” fiasco that resulted in hacks to restore the functionality. It seems that hackers and corporations are forever destined to disagree on who actually owns the hardware and what ownership really means. We’re locked in an epic game of cat and mouse, but usually the hackers seem to triumph in the end.

InfoFuse

This Message Will Self Destruct… As You Read It?

December 6, 2014 by 27 Comments

A group of Harvard chemists have come up with a novel use for fire. Through experimentation, they have been able to build what they call an InfoFuse. As the name implies, it’s essentially a burning fuse that can “transmit” information.

The fuse is made from flash paper, which is paper made from nitrocellulose. Flash paper burns at a relatively constant speed and leaves no smoke or ash, making it ideal for this type of project. The chemists developed a method of conveying information by changing the color of the flame on the paper. You might remember from high school chemistry class that you can change the color of fire by burning different metal salts. For example, burning copper can result in a blue flame. This is the key to the system.

The researchers dotted the flash paper with small bits of metal salts. As the flame reaches these spots, it briefly changes colors. They had to invent an algorithm to convert different color patterns to letters and numbers. It’s sort of like an ASCII table for fire. Their system uses only three colors. The three colors represent eight possible combinations of color at any given time. Just two quick pulses allow the researchers to convey all 26 letters of the English alphabet as well as ten digits and four symbols. In one test, the researchers were able to transmit a 20 character message in less than 4 seconds.

[Ben Krasnow] found the Harvard project and just had to try it out for himself. Rather than use colors to convey information, he took a more simple approach. He started with a basic strip of flash paper, but left large tabs periodically along its length. As the paper burns from end to end, it periodically hits one of these tabs and the flame gets bigger momentarily.

[Ben] uses an optical sensor and an oscilloscope to detect the quantity of light. The scope clearly shows the timing of each pulse of light, making it possible to very slowly convey information via fire. Ben goes further to speculate that it might be possible to build a “fire computer” using a similar method. Perhaps using multiple strips of paper, one can do some basic computational functions and represent the result in fire pulses. He’s looking for ideas, so if you have any be sure to send them his way! Also, be sure to check out Ben’s demonstration video below. Continue reading “This Message Will Self Destruct… As You Read It?”

Social Logons

SpoofedMe Attack Steals Accounts By Exploiting Social Login Mechanisms

December 5, 2014 by 34 Comments

We’ve all seen the social logon pop up boxes. You try to log into some website only to be presented with that pop up box that says, “Log in with Facebook/Twitter/Google”. It’s a nice idea in theory. You can log into many websites by using just one credential. It sounds convenient, but IBM X-Force researchers have recently shown how this can be bad for the security of your accounts. And what’s worse is you are more vulnerable if the service is offered and you are NOT using it. The researcher’s have called their new exploit SpoofedMe. It’s aptly named, considering it allows an attacker to spoof a user of a vulnerable website and log in under that user’s account.

So how does it work? The exploit relies on vulnerabilities in both the identity provider (Facebook/Twitter/etc) and the “relying website”. The relying website is whatever website the user is trying to log into using their social media account. The easiest way to describe the vulnerability is to walk through an example. Here we go.

Let’s imagine you are an attacker and you want to get into some victim’s Slashdot account. Slashdot allows you to create a local account within their system if you like, or you can log in using your LinkedIn account. Your victim doesn’t actually have a LinkedIn account, they use a local Slashdot account.

The first step of your attack would be to create a LinkedIn account using your victim’s email address. This needs to be the same address the victim is using for their local Slashdot account. This is where the first vulnerability comes in. LinkedIn needs to allow the creation of the account without verifying that the email address belongs to you.

The second step of the attack is now to attempt to log into Slashdot using your newly created LinkedIn account. This is where the second vulnerability comes in. Some social media services will authenticate you to websites like Slashdot by sending Slashdot your user information. In this case, the key piece of information is your email address. Here’s the third vulnerability. Slashdot sees that your LinkedIn account has the same email address as one of their local users. Slashdot assumes that LinkedIn has verified the account and permits you, the attacker, to log in as that user. You now have access to your victim’s Slashdot account. In another scenario, Slashdot might actually merge the two credentials together into one account.

What’s really interesting about this hack is that it isn’t even very technical. Anyone can do this. All you need is the victim’s email address and you can try this on various social media sites to see if it works. It’s even more interesting that you are actually more vulnerable if you are not using the social logons. Some real world examples of this vulnerability are with LinkedIn’s social logon service, Amazon’s service, and MYDIGIPASS.com’s service. Check out the demonstration video below. Continue reading “SpoofedMe Attack Steals Accounts By Exploiting Social Login Mechanisms”

Paypal CSRF

Hacking PayPal Accounts With CSRF

December 4, 2014 by 17 Comments

The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time.

Paypal is a huge player in the payment processing world, but that doesn’t mean they aren’t without their flaws. Sometimes the bigger the target, the more difficult it is to find problems. [Yasser] wanted to experiment with a cross-site request forgery attack. This type of attack typically requires the attacker to trick the victim into clicking a malicious link. The link would then impersonate the victim and make requests on the victim’s behalf. This is only made possible if the victim is logged into the target website.

PayPal has protection mechanisms in place to prevent this kind of thing, but [Yasser] found a loophole. When a user logs in to make a request, PayPal gives them an authentication token. This token is supposed to be valid for one user and one request only. Through experimentation, [Yasser] discovered a way to obtain a sort of “skeleton key” auth token. The attacker can attempt to initiate a payment transfer without first logging in to any PayPal account. Once the transfer is attempted, PayPal will request the user to authenticate. This process produces an auth token that apparently works for multiple requests from any user. It renders the authentication token almost entirely ineffective.

Once the attacker has a “universal auth token”, he can trick the victim into visiting a malicious web page. If the user is logged into their PayPal account at the time, the attacker’s webpage can use the universal auth token to trick the victim’s computer into making many different PayPal requests. Examples include adding email addresses to the account, changing the answers to security questions, and more. All of this can be done simply by tricking the user into clicking on a single link. Pretty scary.

[Yasser] was responsible with his disclosure, of course. He reported the bug to PayPal and reports that it was fixed promptly. It’s always great to see big companies like PayPal promoting responsible disclosure and rewarding it rather than calling the lawyers. Be sure to catch a video demonstration of the hack below. Continue reading “Hacking PayPal Accounts With CSRF”

Thermostat

Custom Raspberry Pi Thermostat Controller

November 26, 2014 by 13 Comments

Thermostats can be a pain. They often only look at one sensor in a multi-room home and then set the temperature based on that. The result is one room that’s comfortable and other rooms that are not. Plus, you generally have to get up off the couch to change the temperature. In this day and age, who wants to do that? You could buy an off-the-shelf solution, but sometimes hacking up your own custom hardware is just so much more fun.

[redditseph] did exactly that by modifying his home thermostat to be controlled by a Raspberry Pi. The temperature is controlled by a simple web interface that runs on the Pi. This way, [redditseph] can change the temperature from any room in his home using a computer or smart phone. He also built multi-sensor functionality into his design. This means that the Pi can take readings from multiple rooms in the home and use this data to make more intelligent decisions about how to change the temperature.

The Pi needed a way to actually talk to the thermostat. [redditseph] made this work with a relay module. The Pi flips one side of the relays, which then in turn switches the buttons that came built into the thermostat. The Pi is basically just emulating a human pressing buttons. His thermostat had terminal blocks inside, so [redditseph] didn’t have to risk damaging it by soldering anything to it. The end result is a functional design that has a sort of cyberpunk look to it.

[via Reddit]

telepresence

Telepresence Robot Demo Unit Breaks Free Of Its Confinement

November 26, 2014 by 43 Comments

What happens when you put a telepresence robot online for the world to try out for free? Hilarity of course. Double Robotics is a company that builds telepresence robots. The particular robot in question is kind of like a miniature Segway with a tablet computer on top. The idea is you can control it with your own tablet from a remote location. This robot drives around with your face on the screen, allowing you to almost be somewhere when you can’t (or don’t want to) be there in person.

Double Robotics decided to make one of these units accessible to the Internet as a public demonstration. Of course, they couldn’t have one of these things just roaming about their facility unrestrained. They ended up keeping it locked in an office. This gives users the ability to drive it around a little bit and get a feel for the robot. Of course it didn’t take long for users to start to wonder how they could break free from their confinement.

One day, a worker left the office door cracked open ever so slightly. A user noticed this and after enough patience and determination, managed to use the robot to get the door opened. It appears as though the office was closed at the time, so no one was around to witness the event. A joy ride ensued and the robot hid its tracks by locking itself back in the room and docking to the charging station.

While this isn’t a hack in the typical sense, this is a perfect example of the hacker mindset. You are given some new technology and explore it to the extent at which you are supposed too. After that, many people would just toss it aside and not give it a second thought. Those with the hacker mindset are different, though. Our next thought is usually, “What else can I do with it?” This video demonstrates that in a fun and humorous way. Hopefully the company learns its lesson and puts a leash on that thing. Continue reading “Telepresence Robot Demo Unit Breaks Free Of Its Confinement”