Superconference Interview: Samy Kamkar

July 26, 2017 by Mike Szczys 3 Comments

Samy Kamkar has an incredible arsenal of self-taught skills that have grown into a remarkable career as a security researcher. He dropped out of high school to found a company based on Open Source Software and became infamous for releasing the Samy worm on the MySpace platform. But in our minds Samy has far outpaced that notoriety with the hardware-based security exploits he’s uncovered over the last decade. And he’s got a great gift for explaining these hacks — from his credit card magstripe spoofing experiments to hacking keyless entry systems and garage door opener remotes — in great depth during his talk at the 2016 Hackaday Superconference.

We pulled Samy aside after his talk to discuss how the security scene has grown up over the years and asked him to share his advice for people just coming up now. We’re happy to publish it for the first time today, it can be seen below.

Now it’s your turn. The Call for Proposals is now open for the 2017 Hackaday Superconference. You don’t need to be Samy Kamkar to qualify for a talk. You just need an interesting story of hardware engineering, creativity in technical design, an adventure with product design, or a sordid tale of your prototyping experiences. We hope everyone with a story will submit their proposal, but for those who don’t tickets are now available. The Hackaday Superconference will take place in Pasadena, California on November 11th and 12th.

Smart Gun Beaten by Dumb Magnets

July 25, 2017 by Michael Uttmark 176 Comments

[Plore], a hacker with an interest in safe cracking, read a vehemently anti-smart-gun thread in 2015. With the words “Could you imagine what the guys at DEF CON could do with this?” [Plore] knew what he had to do: hack some smart guns. Watch the video below the break.

Armed with the Armatix IP1, [Plore] started with one of the oldest tricks in the book: an RF relay attack. The Armatix IP1 is designed to fire only when a corresponding watch is nearby, indicating that a trusted individual is the one holding the gun. However, by using a custom-built $20 amplifier to extend the range of the watch, [Plore] is able to fire the gun more than ten feet away, which is more than enough distance to be dangerous and certainly more than the few inches the manufacturers intended.

Not stopping there, [Plore] went to the other extreme, creating what he calls an “electromagnetic compatibility tester” (in other words, a jammer) that jams the signal from the watch, effectively preventing a legitimate gun owner from firing their gun at 10 to 20 feet!

Not one to call it quits, [Plore] realised that the gun prevented illicit firing with a simple metal pin which it moved out of the way once it sensed the watch nearby. However, this metal just happened to be ferrous, and you know what that means: [Plore], with the help of some strong magnets, was able to move the pin without any electrical trickery.

Now, we’ve already covered the many hurdles that smart guns face, and this specific investigation of the state of smart gun technology doesn’t make the picture look any brighter. We’re aware that hindsight is always 20/20, so let us know in the comments how you would fix the problems with the Armatix IP1.
Continue reading “Smart Gun Beaten by Dumb Magnets” →

Sneak Thieves Beware: A Pi Watcheth

July 13, 2017 by James Hobson 8 Comments

Ever have that strange feeling that somebody is breaking into your workshop? Well, Hackaday.io user [Kenny] has whipped up a tutorial on how to scratch that itch by turning a spare Raspberry Pi you may have kicking around into a security camera system that notifies you at a moment’s notice.

The system works like this: a Raspberry Pi 3 and connected camera module remain vigilant, constantly scanning for motion and recording video. If motion is detected, it immediately snaps and sends a picture to the user’s mobile via PushBullet, then begins recording video. If there is still movement after a few seconds, the process repeats until the area is once again devoid of motion. This also permits a two-way communication with your Pi security system, so you can check in on the live feed whenever you feel the urge.

To get this working for you — assuming that your Pi has been recently updated — setup requires setting up a PushBullet account as well as installing it on your mobile and linking it with an API. For your Pi, you can go ahead with setting up some Python PushBullet libraries, installing FFmpeg, Pi Camera Notifier, and others. Or, install the ready-to-go image [Kenny] has prepared. He gets into the nitty-gritty of the code in his guide, so check that out or watch the tutorial video after the break.

Continue reading “Sneak Thieves Beware: A Pi Watcheth” →

Dropping Zip Bombs on Vulnerability Scanners

July 8, 2017 by Elliot Williams 116 Comments

If you’ve ever looked at the server logs of a computer that lives full-time on the Internet, you know it’s a rough world out there. You’ll see hundreds of attempts per day to break in to your one random little box. Are you going to take that sitting down? Christian Haschek didn’t.

Instead of simply banning IPs or closing off services, [Christian] decided to hit ’em where it hurts: in the RAM. Now, whenever a bot hits his server looking for a poorly configured WordPress install, he serves them 10 GB of zeroes, compressed down into 10 MB by gzip:

dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip

The classic trick uses zip multiple times on itself, which lets you compress arbitrarily large files into just a few kB. [Christian] tried this with gzip, and discovered that it didn’t automatically recurse, so he’s taking a small bandwidth hit for the team. If you know how to get more data packed smaller using gzip, leave a note in the comments.

Nobody really knows if this works on the bad guys’ servers, but [Christian] said that they stopped hitting him after downloading a couple payloads. If you want to test out what it does to your system, click this link. If you don’t run a server, but phishing e-mails get you hot under the collar, check out [Robbie Gallagher]’s talk on phishing the phishers from last year’s Schmoocon for cathartic tales of revenge.

Hacking Into…. A Wind Farm?

July 6, 2017 by James Hobson 28 Comments

Pick a lock, plug in a WiFi-enabled Raspberry Pi and that’s nearly all there is to it.

There’s more than that of course, but the wind farms that [Jason Staggs] and his fellow researchers at the University of Tulsa had permission to access were — alarmingly — devoid of security measures beyond a padlock or tumbler lock on the turbines’ server closet. Being that wind farms are generally in open fields away from watchful eyes, there is little indeed to deter a would-be attacker.

[Staggs] notes that a savvy intruder has the potential to shut down or cause considerable — and expensive — damage to entire farms without alerting their operators, usually needing access to only one turbine to do so. Once they’d entered the turbine’s innards, the team made good on their penetration test by plugging their Pi into the turbine’s programmable automation controller and circumventing the modest network security.

The team are presenting their findings from the five farms they accessed at the Black Hat security conference — manufacturers, company names, locations and etc. withheld for obvious reasons. One hopes that security measures are stepped up in the near future if wind power is to become an integral part of the power grid.

All this talk of hacking and wind reminds us of our favourite wind-powered wanderer: the Strandbeest!

[via WIRED]

New Ransomware Crippling Chernobyl Sensors

June 28, 2017 by Jack Laidlaw 87 Comments

[The BBC] reports Companies all over the world are reporting a new ransomware variant of WannaCry. this time it has taken out sensors monitoring the Chernobyl nuclear disaster site.

We have all heard of the growing problem of ransomware and how Windows XP systems seem especially susceptible to WannaCry and it’s variants which were originally zero day vulnerabilities stored up by the NSA then leaked by WikiLeaks. Microsoft did release a patch. It’s been everywhere in the media but it still seems that some people didn’t get the memo.

Ukrainian state power plants and Kiev’s main airport, among others, have been affected. Probably most interesting and scary of all is that Chernobyl monitoring stations have been taken out, and monitors have to take radiation levels manually for the moment.

It seems that most reports are coming from old Soviet Bloc states (Ukraine, Russia, and Poland), which raises the question of where the attacker is based. Kaspersky Lab is reporting that it’s believed the ransomware was a “new malware that has not been seen before” with a close resemblance to Petya. So as a result, the firm has dubbed it NotPetya.

NotPetya is spreading rapidly affecting companies all over the world with no signs of slowing just yet. Will we see an end to WannaCry variants any time soon.

[Update Thanks to [getrekt] , It now seems that this is fake ransomware which just destroys your data whether you pay or not.]

Fake Your ID Photos – the 3D Way

June 24, 2017 by Lewin Day 43 Comments

Photographs for identification purposes have strict requirements. Lighting, expression, and framing are all controlled to enable authorities to quickly and effectively use them to identify individuals reliably. But what if you created an entirely fake photograph from scratch? That’s exactly what [Raphael Fabre] set out to do.

With today’s 3D modelling tools, human faces can be created in extreme detail. Using these, [Raphael] set out to create a 3D model of himself, which was then used to render images simulating a passport photograph. Not content to end the project there, [Raphael] put his digital doppelgänger to the test – applying for a French identification card. He succeeded.

While the technology to create and render high-quality human faces has existed for a while, it’s impressive that [Raphael]’s work passed for genuine human. Obviously there’s something to be said for the likelihood of an overworked civil servant catching this sort of ruse, but the simple fact is, the images made it through the process, and [Raphael] has his ID. Theoretically, this leaves open the possibility of creating entirely fictitious characters and registering them as real citizens with the state, for all manner of nefarious purposes. If you do this, particularly on a grand scale, be sure to submit it to the tip line.

We’ve seen other concerning ID hacks before, such as this attempt at hacking RFIDs in Passport Cards.