Biometric Authentication With A Cheap USB Hub

December 7, 2017 by Tom Nardi 26 Comments

It’s fair to say that fingerprints aren’t necessarily the best idea for device authentication, after all, they’re kind of everywhere. But in some cases, such as a device that never leaves your home, fingerprints are an appealing way to speed up repetitive logins. Unfortunately, fingerprint scanners aren’t exactly ubiquitous pieces of hardware yet. We wouldn’t hold out much hope for seeing a future Raspberry Pi with a fingerprint scanner sitting on top, for example.

Looking for a cheap way to add fingerprint scanning capabilities to his devices, [Nicholas] came up with a clever solution that is not only inexpensive, but multi-functional. By combining a cheap USB hub with a fingerprint scanner that was intended as a replacement part of a Thinkpad laptop, he was able to put together a biometric USB hub for around $5 USD.

After buying the Thinkpad fingerprint scanner, he wanted to make sure it would be detected by his computer as a standard USB device. The connector and pinout on the scanner aren’t standard, so he had to scrape off the plastic coating of the ribbon cable and do some probing with his multimeter to figure out what went where. Luckily, once he found the ground wire, the order of the rest of the connections were unchanged from normal USB.

When connected to up his Ubuntu machine, the Thinkpad scanner came up as a “STMicroelectronics Fingerprint Reader”, and could be configured with libpam-fprintd.

With the pintout and software configuration now known, all that was left was getting it integrated into the USB hub. One of the hub’s ports was removed and filled in with hot glue, and the fingerprint scanner connected in its place. A hole was then cut in the case of the hub for the scanner to peak out of. [Nicholas] mentions his Dremel is on loan to somebody else at the moment, and says he’ll probably try to clean the case and opening up a bit when he gets it back.

[Nicholas] was actually inspired to tackle this project based on a Hackaday post he read awhile back, so this one has truly come full circle. If you’d like to learn more about fingerprint scanning and the techniques being developed to improve it, we’ve got some excellent articles to get you started.

Kristin Paget Is Hacking Carrier Grade LTE ENodeB

December 4, 2017 by Mike Szczys 20 Comments

Every once in a while you get lucky and a piece of cool gear lands on your bench to tear down and explore. On that measuring stick, Kristin Paget hit the jackpot when she acquired a fascinating piece of current generation cellphone infrastructure. She’s currently researching a carrier-grade LTE eNodeB and walked through some of the findings, along with security findings of two IoT products, during her talk on the Laws of IoT Security at the 2017 Hackaday Superconference.

Evolved Node B (eNodeB) is the meat and potatoes of the LTE cellular network. It connects the antenna to backhaul — this is not something you’d expect to see on the open market but Kristin managed to pick one up from a vendor at DEF CON. Hearing her walk through the process of testing the hardware is a real treat in her talk and we’ll get to that in just a minute. But first, check out our video interview with Kristin the morning after her talk. We get into the progress of her eNodeB research, and touch on the state of IoT security with advice for hardware developers moving forward.

Continue reading “Kristin Paget Is Hacking Carrier Grade LTE ENodeB” →

Spoof A Skimmer For Peace Of Mind

December 1, 2017 by Dan Maloney 14 Comments

It’s a sad commentary on the state of the world when it becomes a good practice to closely inspect the card reader on every ATM and gas pump for the presence of a skimmer. The trouble is, even physically yanking on the reader may not be enough, as more sophisticated skimmers now reside safely inside the device, sipping on the serial comms output of the reader and caching it for later pickup via Bluetooth. Devilishly clever stuff.

Luckily, there’s an app to detect these devices, and the prudent consumer might take solace when a quick scan of the area reveals no skimmers in operation. But is that enough? After all, how do you know the smartphone app is working? This skimmer scammer scanner — or is that a skimmer scanner scammer? — should help you prove you’re being as safe as possible.

The basic problem that [Ben Kolin] is trying to solve here is: how do you prove a negative? In other words, one could easily write an app with a hard-coded “This Area Certified Zebra-Free” message and market it as a “Zebra Detector,” and 99.999% of the time, it’ll give you the right results. [Ben]’s build provides the zebra, as it were, by posing as an active skimmer to convince the scanner app that a malicious Bluetooth site is nearby. It’s a quick and dirty build with a Nano and a Bluetooth module and a half-dozen lines of code. But it does the trick.

Need a primer on the nefarious world of skimming? Here’s an overview of how easy skimming has become, and a teardown of a skimmer captured in the wild.

Mathieu Stephan : The Making Of A Secure Open Source Hardware Password Keeper

November 30, 2017 by Brian Benchoff 19 Comments

Mathieu Stephan is an open source hardware developer, a Tindie seller who always has inventory, a former Hackaday writer, and an awesome all-around guy. One of his biggest projects for the last few years has been the Mooltipass, an offline password keeper built around smart cards and a USB interface. It’s the solution to Post-It notes stuck to your monitor and using the same password for all your accounts around the Internet.

The Mooltipass is an extremely successful product, and last year Mathieu launched the Mooltipass Mini. No, it doesn’t have the sweet illuminated touch-sensitive buttons, but it is a bit cheaper than its big brother and a bit more resistant to physical attacks — something you want in a device that keeps all your passwords secure.

Mathieu didn’t build the Mooltipass alone, though. This is an Open Source project that has developers and testers from around the globe. It may have started off as a Hackaday Post, but now the Mooltipass has grown into a worldwide development team with contributors across the globe. How did Mathieu manage to pull this off? You can check out his talk at the 2017 Hackaday Superconference below.

Continue reading “Mathieu Stephan : The Making Of A Secure Open Source Hardware Password Keeper” →

A TEMPEST In A Dongle

November 26, 2017 by Dan Maloney 27 Comments

If a couple of generations of spy movies have taught us anything, it’s that secret agents get the best toys. And although it may not be as cool as a radar-equipped Aston Martin or a wire-flying rig for impossible vault heists, this DIY TEMPEST system lets you snoop on computers using secondary RF emissions.

If the term TEMPEST sounds familiar, it’s because we’ve covered it before. [Elliot Williams] gave an introduction to the many modalities that fall under the TEMPEST umbrella, the US National Security Agency’s catch-all codename for bridging air gaps by monitoring the unintended RF, light, or even audio emissions of computers. And more recently, [Brian Benchoff] discussed a TEMPEST hack that avoided the need for thousands of dollars of RF gear, reducing the rig down to an SDR dongle and a simple antenna. There’s even an app for that now: TempestSDR, a multiplatform Java app that lets you screen scrape a monitor based on its RF signature. Trouble is, getting the app running on Windows machines has been a challenge, but RTL-SDR.com reader [flatfishfly] solved some of the major problems and kindly shared the magic. The video below shows TempestSDR results; it’s clear that high-contrast images at easiest to snoop on, but it shows that a $20 dongle and some open-source software can bridge an air gap. Makes you wonder what’s possible with deeper pockets.

RF sniffing is only one of many ways to exfiltrate data from an air-gapped system. From power cords to security cameras, there seems to be no end to the ways to breach systems.

Continue reading “A TEMPEST In A Dongle” →

Is Intel’s Management Engine Broken Yet?

November 17, 2017 by Pedro Umbelino 50 Comments

Our own [Brian Benchoff] asked this same question just six months ago in a similar headline. At that time, the answer was no. Or kind of no. Some exploits existed but with some preconditions that limited the impact of the bugs found in Intel Management Engine (IME). But 2017 is an unforgiving year for the blue teams, as lot of serious bugs have been found throughout the year in virtually every fields of computing. Researchers from Positive Technologies report that they found a flaw that allows them to execute unsigned code on computers running the IME. The cherry on top of the cake is that they are able to do it via a USB port acting as a JTAG port. Does this mean the zombie apocalypse is coming?

Before the Skylake CPU line, released in 2015, the JTAG interface was only accessible by connecting a special device to the ITP-XDP port found on the motherboard, inside a computer’s chassis. Starting with the Skylake CPU, Intel replaced the ITP-XDP interface and allowed developers and engineers to access the debugging utility via common USB 3.0 ports, accessible from the device’s exterior, through a new a new technology called Direct Connect Interface (DCI). Basically the DCI provides access to CPU/PCH JTAG via USB 3.0. So the researchers manage to debug the IME processor itself via USB DCI, which is pretty awesome, but USB DCI is turned off by default, like one of the researchers states, which is pretty good news for the ordinary user. So don’t worry too much just yet.

Continue reading “Is Intel’s Management Engine Broken Yet?” →

Face ID Defeated With 3D Printed Mask (Maybe)

November 14, 2017 by Tom Nardi 44 Comments

Information about this one is still tricking in, so take it with a grain of salt, but security company [Bkav] is claiming they have defeated the Face ID system featured in Apple’s iPhone X [Dead link, try the Internet Archive]. By combining 2D images and 3D scans of the owner’s face, [Bkav] has come up with a rather nightmarish creation that apparently fools the iPhone into believing it’s the actual owner. Few details have been released so far, but a YouTube video recently uploaded by the company does look fairly convincing.

For those who may not be keeping up with this sort of thing, Face ID is advertised as an improvement over previous face-matching identification systems (like the one baked into Android) by using two cameras and a projected IR pattern to perform a fast 3D scan of the face looking at the screen. Incidentally, this is very similar to how Microsoft’s Kinect works. While a 2D system can be fooled by a high quality photograph, a 3D based system would reject it as the face would have no depth.

[Bkav] is certainly not the first group to try and con Apple’s latest fondle-slab into letting them in. Wired went through a Herculean amount of effort in their attempt earlier in the month, only to get no farther than if they had just put a printed out picture of the victim in front of the camera. Details on how [Bkav] managed to succeed are fairly light, essentially boiling down to their claim that they are simply more knowledgeable about the finer points of face recognition than their competitors. Until more details are released, skepticism is probably warranted.

Still, even if their method is shown to be real and effective in the wild, it does have the rather large downside of requiring a 3D scan of the victim’s face. We’re not sure how an attacker is going to get a clean scan of someone without their consent or knowledge, but with the amount of information being collected and stored about the average consumer anymore, it’s perhaps not outside the realm of possibility in the coming years.

Since the dystopian future of face-stealing technology seems to be upon us, you might as well bone up on the subject so you don’t get left behind.

Thanks to [Bubsey Ubsey] for the tip.

Continue reading “Face ID Defeated With 3D Printed Mask (Maybe)” →