News

3665 Articles

OBD-II Dongle Attack: Stopping A Moving Car Via Bluetooth

April 14, 2017 by 30 Comments

Researchers from the Argus Research Team found a way to hack into the Bosch Drivelog ODB-II dongle and inject any kind of malicious packets into the CAN bus. This allowed them to, among other things, stop the engine of a moving vehicle by connecting to the dongle via Bluetooth.

Drivelog is Bosch’s smart device for collecting and managing your vehicle’s operating data. It allows a user to connect via Bluetooth to track fuel consumption and to be alerted when service is necessary. It was compromised in a two stage attack. The first vulnerability, an information leak in the authentication process, between the dongle and the smart phone application allowed them to quickly brute-force the secret PIN offline and connect to the dongle via Bluetooth. After being connected, security holes in the message filter of the dongle allowed them to inject malicious messages into the CAN bus.

The Bluetooth pairing mechanism, called “Just Works”, has been fixed by Bosh by activating a two-step verification for additional users to be registered to a device.  The second issue, the ability for a maliciously modified mobile application to possibly send unwanted CAN messages, will be mitigated with an update to the dongle firmware to further limit the allowed commands that the dongle is able to place on the CAN bus.

Bosch downplays the issue a bit in their statement:

It is important to note that scalability of a potential malicious attack is limited by the fact that such an attack requires physical proximity to the dongle. This means that the attacking device needs to be within Bluetooth range of the vehicle.

The problem is that physical proximity does not equal Bluetooth range. Standard Bluetooth range is about 10m, which is very arguable physical proximity, but it is pretty easy to buy or even modify a Bluetooth dongle with 10x and 100x more range. When adding a wireless connection to the CAN bus of an automobile, the manufacturer has an obligation to ensure the data system is not compromised. This near-proximity example is still technically a remote hack, and it’s an example of the worst kind of vulnerability.

Burger King Scores Free Advertising From Google Home With A Whopper Of A Hack

April 14, 2017 by 67 Comments

Advertisers are always trying to stuff more content into a 15 or 30 second TV spot. Burger King seems to have pulled it off with a series of ads that take advantage of the Google Home device sitting in many viewers living rooms. It works like this: The friendly Burger King employee ends the ad by saying “Ok Google, what is the Whopper burger?” Google home then springs into action reading the product description from Burger King’s Wikipedia page.

Trolls across the internet jumped into the fray. The Whopper’s ingredient list soon included such items as toenail clippings, rat, cyanide, and a small child. Wikipedia has since reverted the changes and locked down the page.

Google apparently wasn’t involved in this, as they quickly updated their voice recognition algorithms to specifically ignore the commercial. Burger King responded by re-dubbing the audio of the commercial with a different voice actor, which defeated Google’s block. Where this game of cat and mouse will end is anyone’s guess.

This event marks the second time in only a few months that a broadcast has caused a voice-activated device to go rogue. Back in January a disk jockey reporting a story about Amazon’s Echo managed to order doll houses for many residents of San Diego.

With devices like Alexa and Google home always ready to accept a command, stories like this are going to become the new normal. The only way to avoid it completely is to not allow it in your home. For those who do have a voice-activated device, be very careful what devices and services you connect it to. Internet of things “smart” door locks are already providing ways to unlock one’s door with a voice command. Burglarizing a home or apartment couldn’t be easier if you just have to ask Siri to unlock the door for you. And while some complained about the lack of security in the Zelda hack, we’d rate that as a thousand times more secure than a voice recognition system with no password.

Continue reading “Burger King Scores Free Advertising From Google Home With A Whopper Of A Hack”

Daedalus Jet Suit Takes To The Skies

April 13, 2017 by 38 Comments

[Richard Browning] wants to fly like Daedalus. To us, it looks a bit more like Iron Man. [Browning] is working on project Daedalus, a flight suit powered by six jet engines. These turbines are exactly the type one would find on large, fast, and expensive R/C planes. Some of this is documented on his YouTube channel, Gravity Industries, though RedBull has also gotten involved and have a video of their own that you can check out after the break.

The project started last year in [Browning’s] garage. He strapped a jet to an old washing machine to test its thrust. The jet nearly flipped the machine over, so he knew he would have enough power to fly. The suit started with a turbine strapped to each arm. Then it became two on each arm. This was enough for moonlike hops, but not enough for actual flight. Strapping an engine to each leg worked but was rather hard to control. The current configuration features two turbines per arm, and two on a backpack.

The whole setup is quite similar to [Frank Zapata]’s Flyboard Air, with one key difference – [Browning] is supporting two thirds of his weight with his hands. The effect is similar to supporting oneself on gymnastic rings, which is part of his extreme physical training regimen.

Continue reading “Daedalus Jet Suit Takes To The Skies”

Every Tornado Siren In Dallas Hacked

April 12, 2017 by 52 Comments

Someone had some fun with the Dallas early warning tornado siren system on Friday, April 8th. All 156 tornado sirens were hacked to go off just before midnight until they were manually turned off individually, reports The Washington Post. Thousands of residents flooded 911 call centers asking if they were under attack, if there was a tornado or if the zombie apocalypse had begun. The sirens were blaring for at least an hour and was originally put down as a malfunction, however it was later revealed that it was a hack and the “hacker” must have had physical access to the siren control center.

This isn’t the first time Dallas has had problems with “hackers” breaking into their infrastructure, Only last year some unknown person/persons hacked electronic road signs (a prank we’ve seen before) in and around Dallas claiming “Work is Canceled — Go Back Home” and “Donald Trump Is A Shape-shifting Lizard!!”. Mayor Mike Rawlings claims the perpetrators will be found and prosecuted although we don’t share his confidence since last year’s attackers are still at large.

The video below is one of many on YouTube filmed by bemused Dallas residents.

UPDATE: This hack seems to have been accomplished via DTMF signals broadcast on radio frequency in the clear. Recognizing the vulnerability after the fact, the system is now using some form of encryption for the control messages. Thanks [Dan J.] for posting this in the comments below.

Continue reading “Every Tornado Siren In Dallas Hacked”

$10 Orange Pi 2G-IoT Released To Compete With Pi Zero W

April 11, 2017 by 76 Comments

A new single-board computer by Orange Pi has popped up for sale on AliExpress. The Orange Pi 2G-IoT is designed to compete with the Raspberry Pi Zero, and if specs are anything to go by they have done a nice job.

There are a lot of options for extra small single board computers these days and there’s a growing list at the lowest price points. Let’s call it the sub-$20 cost range (to quell the argument of shipping fees). We have seen C.H.I.P., the Raspberry Pi Foundation released the Pi Zero W (an update to the Zero line that included WiFi and Bluetooth), the already available Orange Pi Zero (which was featured in a project on Monday), and now add to that list the unfortunately named Orange Pi 2G-IoT.

The 2g-IoT is sporting an ARM Cortex-A5 32bit clocked at 1GHz with 256MB DDR2 RAM. It’s nice to see 500 MB of on-board NAND to go along with an SD card slot for larger storage. It also has a CSI camera connector, WiFi, Bluetooth, an FM Radio and GSM/GPRS with a sim card slot on the bottom. It is pin compatible with Raspberry Pi’s almost standardized GPIO layout.

All this for $10 is quite impressive to say the least, especially the addition of GSM/GPRS. Will it kill Raspberry Pi Zero W sales? We think not. While the Orange Pi’s are great little computers, they don’t have the community support that is afforded to Raspberry Pi products making for less support online when you run into a problem. That’s if you can even get the thing running in the first place. The Orange Pi’s website has not yet been updated to reflect the new release. However if you are interested in getting one for yourself right now, head over to your favorite Chinese electronics supplier.

[via Geeky Gadgets and CNX]

Trademarking Makerspace (Again)

April 11, 2017 by 31 Comments

A British company has filed a trademark application for the word ‘MakerSpace’. While we’ve seen companies attempt to latch on to popular Maker phrases before, Gratnells Limited, the company in question, is a manufacturer of plastic containers, carts, and other various storage solutions. These products apparently provide a space to store all the stuff you make. Something along those lines.

This isn’t the first time we’ve seen someone try to glom onto the immense amount of marketing Make: has put into the term ‘makerspace’. In 2015, UnternehmerTUM MakerSpaceGmbH, an obviously German tech accelerator based in Munich, filed an application to trademark the word ‘Makerspace’. A few days later, we got word this makerspace wasn’t trying to enforce anything, they were just trying to keep the rug from being pulled out from under them. It was a defensive trademark, if something like that could ever exist (and it can’t under US trademark law). Swift and efficient German bureaucracy prevailed, and the trademark was rejected.

The trademark in question here covers goods including, ‘metal hardware and building materials’, ‘trolleys, trolleys with trays’, ‘guide rails of non-metallic materials’, and ‘lids for containers’, among other storage-related items. While this is far outside the usual meaning for a ‘makerspace’ – a building or club with a whole bunch of tools – if this trademark is approved, there is always the possibility of overzealous solicitors.

Fortunately, Gratnells released a statement today saying they would not defend or continue this trademark. This is in light of the recent, limited reaction to the trademark application. The word Makerspace is safe again another day.

Thanks [Tom] for the tip.

BrickerBot Takes Down Your IoT Devices Permanently

April 8, 2017 by 69 Comments

There is a new class of virii in town, specifically targeting Internet of Things (IoT) devices. BrickerBot and its variants do exactly as their name says, turning your smart devices into bricks. Someone out there has gotten tired of all the IoT security flaws and has undertaken extreme (and illegal) measures to fix the problem. Some of the early reports have come in from a security company called Radware, who isolated two variants of the virii in their honeypots.

In a nutshell, BrickerBot gains access to insecure Linux-based systems by using brute force. It tries to telnet in using common default root username/password pairs. Once inside it uses shell commands (often provided by BusyBox) to write random data to any mounted drives. It’s as easy as

dd if=/dev/urandom of=/dev/sda1

With the secondary storage wiped, the device is effectively useless. There is already a name for this: a Permanent Denial-of-Service (PDoS) attack.

Now any card carrying Hackaday reader will know that a system taken down like this can be recovered by re-flashing through USB, JTAG, SD, other methods. However, we’re not BrickerBot’s intended audience. We’ve all changed our devices default passwords, right? RIGHT?

For more IoT security, check out Elliot’s excellent article about botnets earlier this year, and its follow-up.