Security Hacks

Opening A Ford With A Robot and the De Bruijn Sequence

June 18, 2018 by 69 Comments

The Ford Securicode, or the keyless-entry keypad available on all models of Ford cars and trucks, first appeared on the 1980 Thunderbird. Even though it’s most commonly seen on the higher-end models, it is available as an option on the Fiesta S — the cheapest car Ford sells in the US — for $95. Doug DeMuro loves it. It’s also a lock, and that means it’s ready to be exploited. Surely, someone can build a robot to crack this lock. Turns out, it’s pretty easy.

The electronics and mechanical part of this build are pretty simple. An acrylic frame holds five solenoids over the keypad, and this acrylic frame attaches to the car with magnets. There’s a second large protoboard attached to this acrylic frame loaded up with an Arduino, character display, and a ULN2003 to drive the resistors. So far, everything you would expect for a ‘robot’ that will unlock a car via its keypad.

The real trick for this build is making this electronic lockpick fast and easy to use. This project was inspired by [Samy Kamkar]’s OpenSesame attack for garage door openers. In this project, [Samy] didn’t brute force a code the hard way by sending one code after another; (crappy) garage door openers only look at the last n digits sent from the remote, and there’s no penalty for sending the wrong code. In this case, it’s possible to use a De Bruijn sequence to vastly reduce the time it takes to brute force every code. Instead of testing tens of thousands of different codes sequentially, this robot only needs to test 3125, something that should only take a few minutes.

Right now the creator of this project is putting the finishing touches on this Ford-cracking robot. There was a slight bug in the code that was solved by treating the De Bruijn sequence as circular, but now it’s only a matter of time before a 1993 Ford Taurus wagon becomes even more worthless.

A Close Eye on Power Exposes Private Keys

June 11, 2018 by 37 Comments

Hardware wallets are devices used exclusively to store the highly sensitive cryptographic information that authenticates cryptocurrency transactions. They are useful if one is worried about the compromise of a general purpose computer leading to the loss of such secrets (and thus loss of the funds the secrets identify). The idea is to move the critical data away from a more vulnerable network-connected machine and onto a device without a network connection that is unable to run other software. When designing a security focused hardware devices like hardware wallets it’s important to consider what threats need to be protected against. More sophisticated threats warrant more sophisticated defenses and at the extreme end these precautions can become highly involved. In 2015 when [Jochen] took a look around his TREZOR hardware wallet he discovered that maybe all the precautions hadn’t been considered.

Continue reading “A Close Eye on Power Exposes Private Keys”

Ask Hackaday: What Is The Future Of Implanted Electronics?

June 7, 2018 by 134 Comments

Biohacking is the new frontier. In just a few years, millions of people will have implanted RFID chips under the skin between their thumb and index finger. Already, thousands of people in Sweden have chipped themselves to make their daily lives easier. With a tiny electronic implant, Swedish rail passengers can pay their train ticket, and it goes without saying how convenient opening an RFID lock is without having to pull out your wallet.

That said, embedding RFID chips under the skin has been around for decades; my thirteen-year-old cat has had a chip since he was a kitten. Despite being around for a very, very long time, modern-day cyborgs are rare. The fact that only thousands of people are using chips on a train is a newsworthy event. There simply aren’t many people who would find the convenience of opening locks with a wave of a hand worth the effort of getting chipped.

Why hasn’t the most popular example of biohacking caught on? Why aren’t more people getting chipped? Is it because no one wants to be branded with the Mark of the Beast? Are the reasons for a dearth of biohacking more subtle? That’s what we’re here to find out, so we’re asking you: what is the future of implanted electronics?

Continue reading “Ask Hackaday: What Is The Future Of Implanted Electronics?”

Cracking the Case of Capcom’s CPS2 Security

June 6, 2018 by 17 Comments

We love a good deep-dive on a specialized piece of technology, the more obscure the better. You’re getting a sneak peek into a world that, by rights, you were never meant to know even existed. A handful of people developed the system, and as far as they knew, nobody would ever come through to analyze and investigate it to find out how it all went together. But they didn’t anticipate the tenacity of a curious hacker with time on their hands.

[Eduardo Cruz] has done a phenomenal job of documenting one such system, the anti-piracy mechanisms present in the Capcom CPS2 arcade board. He recently wrote in to tell us he’s posted his third and final entry on the system, this time focusing on figuring out what a mysterious six pin header on the CPS2 board did. Hearing from others that fiddling with this header occasionally caused the CPS2 board to automatically delete the game, he knew it must be something important. Hackaday Protip: If there’s a self-destruct mechanism attached to it, that’s probably the cool part.

He followed the traces from the header connector, identified on the silkscreen as C9, back to a custom Capcom IC labeled DL-1827. After decapping the DL-1827 and putting it under the microscope, [Eduardo] made a pretty surprising discovery: it wasn’t actually doing anything with the signals from the header at all. Once the chip is powered up, it simply acts as a pass-through for those signals, which are redirected to another chip: the DL-1525.

[Eduardo] notes that this deliberate attempt at obfuscating which chips are actually connected to different headers on the board is a classic trick that companies like Capcom would use to try to make it harder to hack into their boards. Once he figured out DL-1525 was what he was really after, he was able to use the information he gleaned from his earlier work to piece together the puzzle.

This particular CPS2 hacking journey only started last March, but [Eduardo] has been investigating the copy protection systems on arcade boards since 2014.

[Thanks to Arduino Enigma for the tip.]

Distorted Text Says A Lot

May 31, 2018 by 20 Comments

Getting bounced to a website by scanning a QR code is no longer an exciting feat of technology, but what if you scanned the ingredient list on your granola bar and it went to the company’s page for that specific flavor, sans the matrix code?

Bright minds at the Columbia University in the City of New York have “perturbed” ordinary font characters so the average human eye won’t pick up the changes. Even ordinary OCR won’t miss a beat when it looks at a passage with a hidden message. After all, these “perturbed” glyphs are like a perfectly legible character viewed through a drop of water. When a camera is looking for these secret messages, those minor tweaks speak volumes.

The system is diabolically simple. Each character can be distorted according to an algorithm and a second variable. Changing that second variable is like twisting a distorted lens, or a water drop but the afterimage can be decoded and the variable extracted. This kind of encoding can survive a trip to the printer, unlike a purely digital hidden message.

Hidden messages like these are not limited to passing notes, metadata can be attached to any text and extracted when necessary. Literature could include notes without taking up page space so teachers could include helpful notes and a cell phone could be like an x-ray machine to see what the teacher wants to show. For example, you could define what “crypto” actually means.

Continue reading “Distorted Text Says A Lot”

“Watch Dogs” Inspired Hacking Drone Takes Flight

May 27, 2018 by 16 Comments

They say that life imitates art, which in modern parlance basically means if you see something cool in a video game, movie or TV show, you might be inclined to try and build your own version. Naturally, such things generally come in the form of simple props, perhaps with the occasional embedded LED or noise making circuit. It’s not as if you can really build a phaser from Star Trek or a phone booth that’s bigger on the inside.

But after seeing the hacking quadcopter featured in the video game Watch Dogs 2, [Glytch] was inspired to start work on a real-world version. It doesn’t look much like the drone from the game, but that was never the point. The idea was to see how practical a small flying penetration testing platform is with current technology, and judging by the final build, we’d say he got his answer.

All the flight electronics are off the shelf quadcopter gear. It’s running on a Betaflight OMNIBUS F4 Pro V2 Flight controller with an M8N GPS mounted in the front and controlling the 2006 2400KV motors with a DYS F20A ESC. Interestingly [Glytch] is experimenting with using LG HG2 lithium-ion cells to power the quad rather than the more traditional lithium-polymer pack, though he does mention there are some issues with the voltage curve between the two battery technologies.

But the real star of the show is the payload: a Hak5 Pineapple Nano. As the Pineapple provides a turn-key penetration testing platform on its own, [Glytch] just needed a way to safely carry it and keep it powered. The custom frame keeps it snug, and the 5 Volt Battery Eliminator Circuit (BEC) on the DYS F20A ESC combined with a female USB port allows powering the Pineapple without having to make any hardware modifications.

We’ve seen quadcopters with digital weaponry before, though not nearly as many as you might think. But as even the toy grade quadcopters become increasingly capable, we imagine the airborne hacking revolution isn’t far away.

Continue reading ““Watch Dogs” Inspired Hacking Drone Takes Flight”

Explaining Efail and Why It Isn’t the End of Email Privacy

May 21, 2018 by 25 Comments

Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.

A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.

But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients., but they weren’t able to back this recommendation up with firm reasoning. In fact, Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit. Advising everyone to disable encryption all together just makes no sense.

Aside from the massive false alarm, Efail is a very interesting exploit to wrap your head around. Join me after the break as I walk through how it works, and what you can do to avoid it.

Continue reading “Explaining Efail and Why It Isn’t the End of Email Privacy”