Security Hacks

1538 Articles

DIY Pi Zero Pentesting Tool Keeps It Cheap

May 15, 2018 by 14 Comments

It’s a story as old as time: hacker sees cool tool, hacker recoils in horror at the price of said tool, hacker builds their own version for a fraction of the price. It’s the kind of story that we love here at Hackaday, and has been the impetus for countless projects we’ve covered. One could probably argue that, if hackers had more disposable income, we’d have a much harder time finding content to deliver to our beloved readers.

[ Alex Jensen] writes in to tell us of his own tale of sticker shock induced hacking, where he builds his own version of the Hak5 Bash Bunny. His version might be lacking a bit in the visual flair department, but despite coming in at a fraction of the cost, it does manage to pack in an impressive array of features.

This pentesting multitool can act as a USB keyboard, a mass storage device, and even an RNDIS Ethernet adapter. All in an effort to fool the computer you plug it into to let you do something you shouldn’t. Like its commercial inspiration, it features an easy to use scripting system to allow new attacks to be crafted on the fly with nothing more than a text editor. A rudimentary user interface is provided by four DIP switches and light up tactile buttons. These allow you to select which attacks run without needing to hook the device up to a computer first, and the LED lights can give you status information on what the device is doing.

[Alex] utilized some code from existing projects, namely PiBunny and rspiducky, but much of the functionality is of his own design. Detailed instructions are provided on how you can build your own version of this handy hacker gadget without breaking the bank.

Given how small and cheap it is, the Raspberry Pi is gaining traction in the world of covert DIY penetration testing tools. While it might not be terribly powerful, there’s something to be said for a device that’s cheap enough that you don’t mind leaving it at the scene if you’ve got to pull on your balaclava and make a break for it.

PGP Vulnerability Pre-announced By Security Researcher

May 14, 2018 by 30 Comments

From the gaping maw of the infosec Twitterverse comes horrifying news. PGP is broken. How? We don’t know. When will there be any information on this vulnerability? Tomorrow. It’s the most important infosec story of the week, and it’s only Monday. Of course, this vulnerability already has a name. Everyone else is calling it eFail, but I’m calling it Fear, Uncertainty, and Doubt.

Update: eFail site and paper now available. This was released ahead of Tuesday’s planned announcement when the news broke ahead of a press embargo.

Update 2: The report mentions two attacks. The Direct Exfiltration attack wraps the body of a PGP-encrypted email around an image tag. If a mail client automatically decrypts this email, the result will be a request to a URL containing the plaintext of the encrypted email. The second attack only works one-third of the time. Mitigation strategies are to not decrypt email in a client, disable HTML rendering, and in time, update the OpenPGP and S/MIME standards. This is not the end of PGP, it’s a vulnerability warranting attention from those with a very specific use case.

Update 3: Hackaday has published an in-depth explanation of how eFail works which details the scope of the vulnerability.

[Sebastian Schinzel] announced on Twitter today he will be announcing a critical vulnerability in PGP/GPG and S/MIME email encryption. This vulnerability may reveal the plaintext of encrypted emails. There are currently no fixes — but there’s no proof of concept, or any actual publication of this exploit either. The only thing that’s certain: somebody on Twitter said encrypted email is broken.

The EFF has chimed in on this exploit and advises everyone to immediately disable and uninstall tools that automatically decrypt PGP-encrypted email. It also looks like the EFF came up with a great little logo for eFail as well so kudos on that.

While there are no details whatsoever concerning eFail aside from a recommendation to not use PGP, a few members of the community have seen a pre-press of the eFail paper. [Werner Koch] of GnuPG says eFail is simply using HTML as a back channel. If this is true, PGP is still safe; you just shouldn’t use HTML emails. If you really need to read HTML emails, use a proper MIME parser and disallow access to external links. It should be noted that HTML in email is already an attack vector and has been for decades. You don’t need to bring PGP into this.

Should you worry about a vulnerability in PGP and email encryption? Literally no one knows. European security researchers are working on a publication release right now, but other experts in the field who have seen the paper think it’s not a big deal. There is no consensus from experts in the field, and there is no paper available right now. That last point will change in a few hours, but for now eFail just stands for Fear, Uncertainty, and Doubt.

A Home Network, Security System, And A Hidden Room Behind A Bookcase

May 6, 2018 by 33 Comments

Ok, now this is something special. This is a home network and security system that would make just about anyone stop, and with jaw hanging agape, stare, impressed at the “several months of effort” it took [timekillerjay] to install their dream setup. Just. Wow.

Want a brief rundown of the diverse skill set needed to pull this off? Networking, home security, home automation, woodworking, running two thousand feet(!) of cat 6a cable, a fair hand at drywall work for the dozens upon dozens of patches, painting, staining, and — while not a skill, but is definitely necessary — an amazingly patient family.

Ten POE security cameras monitor the premises with audio recording, infrared, and motion detection capabilities. This is on top of magnetic sensors for five doors, and eleven windows that feed back to an ELK M1-Gold security system which effortlessly  coordinates with an Insteon ISY994i smart home hub; this allows for automatic events — such as turning on lights after dark when a door is opened — to occur as [timekillerjay]’s family moves about their home. The ELK also allows [timekillerjay] to control other things around the house — namely the sprinkler system — via relays. [timekillerjay] says he lost track of how many smart switches are scattered throughout his home, but there are definitely 39 network drops that service the premises.

All of the crucial components are hidden in his office, behind a custom bookshelf. Building it required a few clever tricks to disguise the bookshelf for the secret door that it is, as well as selecting components with attention to how much noise they generate — what’s the point of a hidden security system if it sounds like a bunch of industrial fans?

An uninterruptible power supply will keep the entire system running for about 45 minutes if there is a power outage, with the cameras recording and system logging everything all the while. Not trusting the entrance to his vault to something from Batman, he’s also fitted the bookshelf with a 600lb magnetic lock that engages when the system is armed and the door already closed. A second UPS will keep the door secured for 6+ hours if the house loses power. Needless to say, we think this house is well secured.

[Via /r/DIY]

Battery Backup Conceals A Pentesting Pi

May 1, 2018 by 21 Comments

Over the last few years one thing has become abundantly clear: hackers love cramming the Raspberry Pi into stuff. From classic game systems to mirrors, there’s few places that haven’t been invaded by everyone’s favorite Linux SBC. From the inspired to the bizarre, we’ve brought such projects to your attention with minimal editorialization. As we’ve said before: it’s not the job of Hackaday to ask why, we’re here to examine how.

That said, some builds do stand out from the crowd. One such project is the “Pentesting BBU Dropbox” which [b1tbang3r] has recently posted to Hackaday.io. Noticing the battery bay in a cheap Cyberpower 350VA battery backup was just about the same size as the Raspberry Pi, he decided to convert it into a covert penetration testing device. Of course the illusion isn’t perfect as the battery backup function itself doesn’t work anymore. But if you hid this thing in an office or server room, there’s very little chance anyone would ever suspect it didn’t belong.

The key to the final device’s plausibility is that from stock it had dual RJ-11 jacks for analog modem surge protection. Swapping those jacks out for RJ-45 network connectors gives the BBU Dropbox an excuse to be plugged into the network. At a cursory glance, at least. Internally there is a TRENDnet Ethernet switch which allows the Pi to get on the network when an Ethernet cable is plugged into the battery backup.

We especially like the little details [b1tbang3r] put in to make the final device look as real as possible. The “Reset” button and “Wiring Fault” LED have been connected to the GPIO pins of the Pi, allowing for an exceptionally discrete user interface. For instance the LED could be setup to blink when a scan is complete, or the button could be used to wipe the device in an emergency.

This build reminds us of the Power Pwn released back in 2012 by Pwnie Express. That device was based around a relatively bulky power strip, and the only “feature” it looks like this DIY build is missing from the professional version is the $1,300 price.

Fix Your Insecure Amazon Fire TV Stick

April 18, 2018 by 48 Comments

I recently spent a largely sleepless night at a hotel, and out of equal parts curiosity and boredom, decided to kill some time scanning the guest network to see what my fellow travelers might be up to. As you’d probably expect, I saw a veritable sea of Samsung and Apple devices. But buried among the seemingly endless number of smartphones charging next to their sleeping owners, I found something rather interesting. I was as picking up a number of Amazon-made devices, all of which had port 5555 open.

As a habitual Android tinkerer, this struck me as very odd. Port 5555 is used for Android Debug Bridge (ADB), a development tool used to control and perform various administrative tasks on an Android device over the network or (more commonly) locally over USB. The number of users who would have legitimately needed to enable network ADB on their devices is surely rather low, so to see a half dozen of them on the network at the same time seemed improbable to say the least.

Why would so many devices manufactured by Amazon all have network ADB enabled? I realized there must be a connection, and it didn’t take long to figure it out.

Continue reading “Fix Your Insecure Amazon Fire TV Stick”

Hide Secret Messages In Plain Sight With Zero-Width Characters

April 15, 2018 by 30 Comments

Fingerprinting text is really very nifty; the ability to encode hidden data within a string of characters opens up a large number of opportunities. For example, someone within your team is leaking confidential information but you don’t know who. Simply send each team member some classified text with their name encoded in it. Wait for it to be leaked, then extract the name from the text — the classic canary trap.

Here’s a method that hides data in text using zero-width characters. Unlike various other ways of text fingerprinting, zero width characters are not removed if the formatting is stripped, making them nearly impossible to get rid of without re-typing the text or using a special tool. In fact you’ll have a hard time detecting them at all – even terminals and code editors won’t display them.

To make the process easy to perform, [Vedhavyas] created a command line utility to embed and extract a payload using any text. Each letter in the secret message is converted to binary, then encoded in zero-width characters. A zero-width-non-joiner character is used for 0, and a zero-width-space character for 1.

[Vedhavyas’] tool was inspired by a post by [Tom], who uses a javascript example (with online demo) to explain what’s going on. This lets you test out the claim that you can paste the text without losing the hidden data. Try pasting it into a text editor. We were able to copy it again from there and retrieve the data, but it didn’t survive being saved and cat’d to the command line.

Of course, to get your encoding game really tight, you should be looking at getting yourself an enigma wristwatch

Continue reading “Hide Secret Messages In Plain Sight With Zero-Width Characters”

Cracking A Bluetooth Credit Card

April 8, 2018 by 44 Comments

You might be surprised to find out that it’s actually not a good idea to put all of your credit card information on a little Bluetooth enabled device in your pocket. Oh, what’s that? You knew already? Well in that case you won’t find the following information terribly shocking, but it’s still a fascinating look at how security researchers systematically break down a device in an effort to find the chinks in its armor.

[Mike Ryan] of ICE9 Consulting has recently published an article detailing the work done to examine and ultimately defeat the security on the FUZE Card. From using an x-ray machine to do non-destructive reconnaissance on the device’s internals to methodically discovering all the commands it responds to over Bluetooth, it’s safe to say the FUZE Card is cracked wide open at this point.

To be clear, the attacker must still pair with FUZE, so physical access is required. But as pointed out by [Mike] in the blog post, handing your card over to a merchant is standard operating procedure in many cases. It isn’t as if it would be hard to get a hold of one of these FUZE cards for a minute or two without the owner becoming suspicious. Pairing FUZE to the Linux device to continue to the next step of the attack only takes a few seconds, as demonstrated in the video after the break.

Once paired, the attacker can simply send a BLE command to FUZE which disables the lock screen. It’s really that simple. The attacker can also send commands to dump credit card info over Bluetooth, meaning they could download your information even when the card is “safely” back in your pocket. The inherent failure in the FUZE design is that you don’t need to provide any sort of authentication to pair it to a new Bluetooth device. It makes the (very dangerous) assumption that the person holding it is entitled to do so.

Even if you know better than to ever buy a device like this, the post [Mike] has written up is really a must-read for anyone who’s ever looked at a device and tried to figure out what was going on in its little silicon brain. We especially liked his assertion that reverse engineering a device essentially boils down to: “staring, thinking, a little experimentation, but mostly staring and thinking.” We’re having an internal debate here at Hackaday HQ about making that the site’s tagline.

Incidentally, this is very similar to the Bluetooth gun “safe” that was cracked not so long ago. At this point, it might be wise to just stay away from anything with that little blue logo on it if you intend to trust it with your identity and/or deadly weapon.

Continue reading “Cracking A Bluetooth Credit Card”