Your Noisy Fingerprints Vulnerable To New Side-Channel Attack

February 23, 2024 by 28 Comments

Here’s a warning we never thought we’d have to give: when you’re in an audio or video call on your phone, avoid the temptation to doomscroll or use an app that requires a lot of swiping. Doing so just might save you from getting your identity stolen through the most improbable vector imaginable — by listening to the sound your fingerprints make on the phone’s screen (PDF).

Now, we love a good side-channel attack as much as anyone, and we’ve covered a lot of them over the years. But things like exfiltrating data by blinking hard drive lights or turning GPUs into radio transmitters always seemed a little far-fetched to be the basis of a field-practical exploit. But PrintListener, as [Man Zhou] et al dub their experimental system, seems much more feasible, even if it requires a ton of complex math and some AI help. At the heart of the attack are the nearly imperceptible sounds caused by friction between a user’s fingerprints and the glass screen on the phone. These sounds are recorded along with whatever else is going on at the time, such as a video conference or an online gaming session. The recordings are preprocessed to remove background noise and subjected to spectral analysis, which is sensitive enough to detect the whorls, loops, and arches of the unsuspecting user’s finger.

Once fingerprint patterns have been extracted, they’re used to synthesize a set of five similar fingerprints using MasterPrint, a generative adversarial network (GAN). MasterPrint can generate fingerprints that can unlock phones all by itself, but seeding the process with patterns from a specific user increases the odds of success. The researchers claim they can defeat Automatic Fingerprint Identification System (AFIS) readers between 9% and 30% of the time using PrintListener — not fabulous performance, but still pretty scary given how new this is.

Audio Eavesdropping Exploit Might Make That Clicky Keyboard Less Cool

May 6, 2022 by 45 Comments

Despite their claims of innocence, we all know that the big tech firms are listening to us. How else to explain the sudden appearance of ads related to something we’ve only ever spoken about, seemingly in private but always in range of a phone or smart speaker? And don’t give us any of that fancy “confirmation bias” talk — we all know what’s really going on.

And now, to make matters worse, it turns out that just listening to your keyboard clicks could be enough to decode what’s being typed. To be clear, [Georgi Gerganov]’s “KeyTap3” exploit does not use any of the usual RF-based methods we’ve seen for exfiltrating data from keyboards on air-gapped machines. Rather, it uses just a standard microphone to capture audio while typing, building a cluster map of the clicks with similar sounds. By analyzing the clusters against the statistical likelihood of certain sequences of characters appearing together — the algorithm currently assumes standard English, and works best on clicky mechanical keyboards — a reasonable approximation of the original keypresses can be reconstructed.

If you’d like to see it in action, check out the video below, which shows the algorithm doing a pretty good job decoding text typed on an unplugged keyboard. Or, try it yourself — the link above implements KeyTap3 in-browser. We gave it a shot, but as a member of the non-mechanical keyboard underclass, it couldn’t make sense of the mushy sounds it heard. Then again, our keyboard inferiority affords us some level of protection from the exploit, so there’s that.

Editors Note: Just tried it on a mechanical keyboard with Cherry MX Blue switches and it couldn’t make heads or tails of what was typed, so your mileage may vary. Let us know if it worked for you in the comments.

What strikes us about this is that it would be super simple to deploy an exploit like this. Most side-channel attacks require such a contrived scenario for installing the exploit that just breaking in and stealing the computer would be easier. All KeyTap needs is a covert audio recording, and the deed is done.

Continue reading “Audio Eavesdropping Exploit Might Make That Clicky Keyboard Less Cool”

Tiny Ethernet Cable Arms Race Spawns From Reddit Discussion

February 16, 2022 by 58 Comments

If you’ve had any dealings with Cat 5 and Cat 6 cable, and let’s be honest, who hasn’t, you’ve probably wrestled with lengths anywhere from 1 meter to 25 meters if you’re hooking up a long haul. Network admins will be familiar with the 0.1 m variety for neat hookups in server cabinets. However, a Reddit community has recently taken things further.

It all started on r/ubiquiti, where user [aayo-gorkhali] posted a custom-built cable just over 2 inches long. The intention was to allow a Ubiquiti U6-IW access point to be placed on a wall. The tiny cable was used to hook up to the keystone jack that formerly lived in that position, as an alternative to re-terminating the wall jack into a regular RJ45 connector.

Naturally this led to an arms race, with [darkw1sh] posting a shorter example with two RJ-45 connectors mounted back to back with the bare minimum of cable crimped into the housings. [Josh_Your_IT_Guy] went out the belt sander to one-up that effort, measuring just over an inch in length.

[rickyh7] took things further, posting a “cable” just a half-inch long (~13 mm). In reality, it consists of just the pinned section of two RJ-45 connectors mounted back to back, wired together in the normal way. While electrically it should work, and it passes a cable tester check, it would be virtually impossible to actually plug it into two devices at once due to its tiny length.

We want to see this go to the logical end point, though. This would naturally involve hacking away the plastic casings off a pair of laptops and soldering their motherboards together at the traces leading to the Ethernet jack. Then your “cable” is merely the width of the solder joint itself.

Alternatively, you could spend your afternoon learning about other nifty hacks with Ethernet cables that have more real-world applications!

Improved Thermochromic Clock Uses PCB Heaters For Better Contrast

January 4, 2022 by 11 Comments

We love timepiece projects round these parts, so here we are with another unusual 7-segment clock design. Hackaday’s own [Moritz Sivers] wasn’t completely satisfied with his last thermochromic clock, so has gone away and built another one, solved a few of the issues, and this time designed it to be wall mounted. The original design had a single heater PCB using discrete resistors as heating elements. This meant that the heat from active elements spread out to adjacent areas, reducing the contrast and little making it a bit hard to read, but it did look really cool nonetheless.

This new version dispenses with the resistors, using individual segment-shaped PCBs with heater traces, which gives the segment a more even heat and limited bleeding of heat into neighbouring inactive air-gapped segments.  Control is via the same Wemos D1 Mini ESP8266 module, driving a chain of 74HC595 shift registers and a pile of dual NMOS transistors. A DS18B20 thermometer allows the firmware to adjust for ambient temperature, giving more consistency to the colour change effect. All this is wrapped up in an aluminium frame, and the results look pretty nice if you ask us.

Both PCB designs and the Arduino firmware can be found on the project GitHub, so reproducing this should be straightforward enough for those so inclined, just make sure your power supply can handle at least 3 amps, as these heaters sure are power hungry!

Got a perfectly good clock, but desperately need a thermochromic temperature/humidity display? [Moritz] has you covered. And if this digital clock is just too simple, how about a mad 1024-element analog thermochromic clock instead?

Continue reading “Improved Thermochromic Clock Uses PCB Heaters For Better Contrast”

This Week In Security: Printing Shellz, Ms-officecmd, And AI Security

December 10, 2021 by 18 Comments

Researchers at f-secure have developed an impressive new attack, leveraging HP printers as an unexpected attack surface. Printing Shellz (PDF) is a one-click attack, where simply visiting a malicious webpage is enough to get a shell and reverse proxy installed to a printer on the same network. The demo below uses a cross-site printing (XSP) attack to send the malicious print job to the printer without any further interactions.
Continue reading “This Week In Security: Printing Shellz, Ms-officecmd, And AI Security”

Ethernet Goes To The Ether

November 9, 2020 by 14 Comments

Since the ether is an old term for the fictitious space where radio waves propagate, we always thought it was strange that the term ethernet refers to wired communication. Sure, there are wireless devices, but that’s not really ethernet. [Jacek] had the same thought, but decided to do something about it.

What he did is use two different techniques to alter the electromagnetic emission from an ethernet adapter on a Raspberry Pi. The different conditions send Morse code that you can receive at 125 MHz with a suitable receiver.

Practical? Hardly, unless you are looking to exfiltrate data from an air-gapped machine, perhaps. But it does have a certain cool factor. The first method switches the adapter between 10 Mbps and 100 Mbps. The second technique uses a stream of data to accomplish the modulation. The switching method had a range of around 100 meters while the data-based method topped out at about 30 meters. The code is on GitHub if you want to replicate the experiment.

There is plenty of precedent for this sort of thing. In 1976 Dr. Dobb’s Journal published an article about playing music on an Altair 8800 by running code while an AM radio was nearby. We’ve seen VGA adapters forced to transmit data, too.

Continue reading “Ethernet Goes To The Ether”

Physical Security Hack Chat With Deviant Ollam

June 1, 2020 by 1 Comment

Join us on Wednesday, June 3 at noon Pacific for the Physical Security Hack Chat with Deviant Ollam!

You can throw as many resources as possible into securing your systems — patch every vulnerability religiously, train all your users, monitor their traffic, eliminate every conceivable side-channel attack, or even totally air-gap your system — but it all amounts to exactly zero if somebody leaves a door propped open. Or if you’ve put a $5 padlock on a critical gate. Or if your RFID access control system is easily hacked. Ignore details like that and you’re just inviting trouble in.

Once the black-hats are on the inside, their job becomes orders of magnitude easier. Nothing beats hands-on access to a system when it comes to compromising it, and even if the attacker isn’t directly interfacing with your system, having him or her on the inside makes social engineering attacks that much simpler. System security starts with physical security, and physical security starts with understanding how to keep the doors locked.

join-hack-chatTo help us dig into that, Deviant Ollam will stop by the Hack Chat. Deviant works as a physical security consultant and he’s a fixture on the security con circuit and denizen of many lockpicking villages. He’s well-versed in what it takes to keep hardware safe from unauthorized visits or to keep it from disappearing entirely. From CCTV systems to elevator hacks to just about every possible way to defeat a locked door, Deviant has quite a bag of physical security tricks, and he’ll share his insights on keeping stuff safe in a dangerous world.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, June 3 at 12:00 PM Pacific time. If time zones have you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.