Seek and Exploit Security Vulnerabilities in an Infusion Pump

Infusion pumps and other medical devices are not your typical everyday, off-the-shelf embedded system. Best case scenario, you will rarely, if ever, come across one in your life. So for wide-spread exploitation, chances are that they simply seem too exotic for anyone to bother exploring their weaknesses. Yet their impact on a person’s well-being makes potential security holes tremendously more severe in case someone decides to bother one day after all.

[Scott Gayou] is one of those someones, and he didn’t shy away from spending hundreds of hours of his free time inspecting the Smiths Medical Medfusion 4000 infusion pump for any possible security vulnerabilities. Looking at different angles for his threat model, he started with the physical handling of the device’s user interface. This allowed him to enable the external communication protocols settings, which in turn opened to the device’s FTP and Telnet ports. Not to give too much away, but he manages to gain access to both the file system content and — as a result of that — to the system’s login credentials. This alone can be clearly considered a success, but for [Scott], it merely opened a door that eventually resulted in desoldering the memory chips to reverse engineer the bootloader and firmware, and ultimately executing his own code on the device.

Understanding the implications of his discoveries, [Scott] waited long enough to publish his research so the manufacturer could address and handle these security issues. So kudos to him for fighting the good fight. And just in case the thought of someone gaining control over a machine that is crucial to your vitality doesn’t scare you enough yet, go ahead and imagine that device was actually implanted in your body.

Reading out an EPROM – with DIP switches

We’re all too spoiled nowadays with our comfortable ways to erase and write data to persistent memory, whether it’s our microcontroller’s internal flash or some external EEPROM. Admittedly, those memory technologies aren’t exactly new, but they stem from a time when their predecessors had to bathe under ultraviolet light in order to make space for something new. [Taylor Schweizer] recently came across some of these quartz-window decorated chips, and was curious to find out what is stored in them. Inspired by the BIOS reverse engineering scene in Halt and Catch Fire, he ended up building his own simple reader to display the EPROM’s content.

The 2732 he uses is a standard EPROM with 32kbit memory. Two pins, Chip Enable and Output Enable, serve as main control interface, while 12 address pins select the data stored in the chip’s internal 4K x 8 arrangement, to output it on the 8 data output pins. You could of course hook up the EPROM to a microcontroller and send what you read via serial line, but [Taylor] opted for a more hands-on approach that lets him read out the data in a manual way. He simply uses a bank of DIP switches to set the address and control pins, and added a row of LEDs as display.

As you can see from the short demonstration in the video after the break, reading out the entire EPROM would be a rather tedious task this way. If you do have more serious intentions to read out the content, you could have a look at one of those microcontroller based solutions sending data via serial line after all.

Continue reading “Reading out an EPROM – with DIP switches”

Capture the Flag Challenge is the Perfect Gift

Nothing says friendship like a reverse engineering challenge on unknown terrain as a birthday present. When [Rikaard] turned 25 earlier this year, his friend [Veydh] put together a Capture the Flag challenge on an ESP8266 for him. As a software guy with no electronics background, [Rikaard] had no idea what he was presented with, but was eager to find out and to document his journey.

Left without guidance or instructions, [Rikaard] went on to learn more about the ESP8266, with the goal to dump its flash content, hoping to find some clues in it. Discovering the board is running NodeMCU and contains some compiled Lua files, he stepped foot in yet another unknown territory that led him down the Lua bytecode rabbit hole. After a detour describing his adjustments for the ESP’s eLua implementation to the decompiler he uses, his quest to capture the flag began for real.

While this wasn’t [Rikaard]’s first reverse engineering challenge, it was his first in an completely unknown environment outside his comfort zone — the endurance he demonstrated is admirable. There is of course still a long way down the road before one opens up chips or counts transistors in a slightly more complex system.

Learn to Reverse Engineer x86_64 Binaries

Opening up things, see how they work, and make them do what you want are just the basic needs of the average hacker. In some cases, a screwdriver and multimeter will do the job, but in other cases a binary blob of random software is all we have to work with. Trying to understand an unknown binary executable is an exciting way to discover a system’s internal functionality.

While the basic principles of software reverse engineering are universal across most platforms, the details can naturally vary for different architectures. In the case of the x86 architecture, [Leo Tindall] felt that most tutorials on the subject focus mostly on 32-bit and not so much on the 64-bit specifics. Determined to change that, [Leo] ended up with an extensive introduction tutorial for reverse engineering x86_64 binaries starting at the very basics, then gradually moving forward using crackme examples. Covering simple string analysis and digging through disassembled binaries to circumvent fictional security, the tutorial later introduces the Radare2 framework.

All example source code is provided in the accompanying GitHub repository, although it is advised to avoid looking at them to keep it more interesting and challenging. And in case you are looking for more challenges later on, or generally prefer a closer connection to the hardware, these MSP430 based capture the flag online challenges might be worth to look at next.

34C3: Microphone Bugs

Inspiration can come from many places. When [Veronica Valeros] and [Sebastian Garcia] from the MatesLab Hackerspace in Argentina learned that it took [Ai Weiwei] four years to discover his home had been bugged, they decided to have a closer look into some standard audio surveillance devices. Feeling there’s a shortage of research on the subject inside the community, they took matters in their own hands, and presented the outcome in their Spy vs. Spy: A modern study of microphone bugs operation and detection talk at 34C3. You can find the slides here, and their white paper here.

Focusing their research primarily on FM radio transmitter devices, [Veronica] and [Sebastian] start off with some historical examples, and the development of such devices — nowadays available off-the-shelf for little money. While these devices may be shrugged off as a relic of Soviet era spy fiction and tools of analog times, the easy availability and usage still keeps them relevant today. They conclude their research with a game of Hide and Seek as real life experiment, using regular store-bought transmitters.

An undertaking like this would not be complete without the RTL-SDR dongle, so [Sebastian] developed the Salamandra Spy Microphone Detection Tool as alternative for ready-made detection devices. Using the dongle’s power levels, Salamandra detects and locates the presence of potential transmitters, keeping track of all findings. If you’re interested in some of the earliest and most technologically fascinating covert listening devices, there is no better example than Theremin’s bug.

Continue reading “34C3: Microphone Bugs”

Coin cell powered sea turtle research

Hacking and tinkering are always fun and games, but one just has to appreciate when all efforts are additionally aimed towards doing something good. [Nikos] sets an example by combining his interest in technology with his passion for wildlife conservation by creating a low cost and ultra-low power temperature logger — and he is using a coin cell for it.

As the founder of a sea turtle conservation project in Greece, [Nikos] enjoys building scientific instruments that help him and his team on their mission. With a goal to log the temperature every 10 minutes over a period of at least 180 days, he designed a PCB just big enough to hold a CR2032 coin cell. Fifty of them will eventually be sealed in waterproof enclosures, and buried in the sand for the whole research duration.

Limiting the design to its bare necessities, the rest of the PCB is housing a digital temperature sensor, an SPI EEPROM to hold all the recorded sensor values over those 180 days, and an ATmega328PB clocked by a 32.768kHz crystal. Wondering what to do with all the extra, unused pins of the ATmega, [Nikos] simply routed them to be accessible through pin headers, thus turning the data logger alternatively into a coin cell powered development board.

Assuming your logging interval requirements are significantly lower, you might be thrilled to hear that [Nikos] estimates a theoretical 7+ years an average coin cell could power the data logger in sleep mode, which makes him confident to reach the 180 days goal.

Spice up your dice with Bluetooth

There’s no shortage of projects that replace your regular board game dice with an electronic version of them, bringing digital features into the real world. [Jean] however goes the other way around and brings the real world into the digital one with his Bluetooth equipped electronic dice.

These dice are built around a Simblee module that houses the Bluetooth LE stack and antenna along with an ARM Cortex-M0 on a single chip. Adding an accelerometer for side detection and a bunch of LEDs to indicate the detected side, [Jean] put it all on a flex PCB wrapped around the battery, and into a 3D printed case that is just slightly bigger than your standard die.

While they’ll work as simple LED lighted replacement for your regular dice as-is, their biggest value is obviously the added Bluetooth functionality. In his project introduction video placed after the break, [Jean] shows a proof-of-concept game of Yahtzee displaying the thrown dice values on his mobile phone. Taking it further, he also demonstrates scenarios to map special purposes and custom behavior to selected dice and talks about his additional ideas for the future.

After seeing the inside of the die, it seems evident that getting a Bluetooth powered D20 will unfortunately remain a dream for another while — unless, of course, you take this giant one as inspiration for the dimensions.

Continue reading “Spice up your dice with Bluetooth”