RaspiReader, An Open Source Fingerprint Reader

In 2008, the then German interior minister, [Wolfgang Schäuble] had his fingerprint reproduced by members of the German Chaos Computer Club, or CCC, and published on a piece of plastic film distributed with their magazine. [Schäuble] was a keen proponent of mass gathering of biometric information by the state, and his widely circulated fingerprint lifted from a water glass served as an effective demonstration against the supposed infallibility of biometric information.

Diagram showing the fingerprint reader's operation.
Diagram showing the fingerprint reader’s operation.

It was reported at the time that the plastic [Schäuble] fingerprint could fool the commercial scanners of the day, including those used by the German passport agency, and the episode caused significant embarrassment to the politician. The idea of “spoofing” a fingerprint would completely undermine the plans for biometric data collection that were a significant policy feature for several European governments of the day.

It is interesting then to read a paper from Michigan State University, “RaspiReader: An Open Source Fingerprint Reader Facilitating Spoof Detection” (PDF downloadable from the linked page) by [Joshua J. Engelsma], [Kai Cao], and [Anil K. Jain] investigates the mechanism of an optical fingerprint reader and presents a design using the ever-popular Raspberry Pi that attempts to detect and defeat attempts at spoofing. For the uninitiated is serves as a fascinating primer on FTIR (Frustrated Total Internal Reflection) photography of fingerprints, and describes their technique combining it with a conventional image to detect spoofing. Best of all, the whole thing is open-source, meaning that you too can try building one yourself.

If [Cao] and [Jain] sound familiar, maybe it’s from their Samsung Galaxy fingerprint hack last year, so it’s neat to see them at work on the defense side. If you think that fingerprints make good passwords, you’ve got some background reading to do. If you just can’t get enough fingerprints, read [Al Williams]’ fundamentals of fingerprint scanning piece from earlier this year.

Via Hacker News.

The Enigma Enigma: How The Enigma Machine Worked

To many, the Enigma machine is an enigma. But it’s really quite simple. The following is a step-by-step explanation of how it works, from the basics to the full machine.

Possibly the greatest dedicated cipher machine in human history the Enigma machine is a typewriter-sized machine, with keyboard included, that the Germans used to encrypt and decrypt messages during World War II. It’s also one of the machines that the Polish Cipher Bureau and those at Britain’s Bletchley Park figured out how to decipher, or break. Most recently the story of how it was broken was the topic of the movie The Imitation Game.

Let’s start with the basics.

Continue reading “The Enigma Enigma: How The Enigma Machine Worked”

Apple’s Secure Enclave Processor (SEP) Firmware Decrypted

The decryption key for Apple’s Secure Enclave Processor (SEP) firmware Posted Online by self-described “ARM64 pornstar” [xerub]. SEP is the security co-processor introduced with the iPhone 5s which is when touch ID was introduced. It’s a black box that we’re not supposed to know anything about but [xerub] has now pulled back the curtain on that.

The secure enclave handles the processing of fingerprint data from the touch ID sensor and determines if it is a match or not while it also enables access for purchases for the user. The SEP is a gatekeeper which prevents the main processor from accessing sensitive data. The processor sends data which can only be read by the SEP which is authenticated by a session key generated from the devices shared key. It also runs on its own OS [SEPOS] which has a kernel, services drivers and apps. The SEP performs secure services for the rest of the SOC and much more which you can learn about from the Demystifying the Secure Enclave Processor talk at Blackhat

[xerub] published the decryption keys here. To decrypt the firmware you can use img4lib and xerub’s SEP firmware split tool to process. These tools make it a piece of cake for security researchers to comb through the firmware looking for vulnerabilities.

The Amazon Echo As A Listening Device

It is an inevitability that following swiftly on the heels of the release of a new device there will be an announcement of its rooting, reverse engineering, or other revealing of its hackability. Now the device in question is the Amazon Echo, as MWR Labs announce their work in persuading an Echo to yield the live audio from the microphone and turn the voice assistant device into a covert listening device.

The work hinges on a previous discovery and reverse engineering (PDF) of Amazon’s debug connector on the base of the Echo, which exposes both an SD card interface and a serial terminal. Following that work, they were able to gain root access to the device, analyze the structure of the audio buffers and how the different Echo processes use them, and run Amazon’s own “shmbuf_tool” application to pipe raw audio data to a network stream. Astoundingly this could be done without compromising the normal operation of the device.

It should be stressed, that this is an exploit that requires physical access to the device and a bit of knowledge to perform. But it’s not inconceivable that it could be made into a near-automated process requiring only a device with a set of pogo pins to be mated with an Echo that has had its cover quickly removed.

That said, inevitably there will be enough unused Echos floating around before too long that their rootability will make them useful to people in our community. We look forward to what interesting projects people come up with using rooted Echos.

This isn’t the first time we’ve covered the use of an Echo as a listening device.

Via Hacker News.

Amazon Echo image: FASTILY [CC BY-SA 4.0].

Getting Data Out Of Air-Gapped Networks Through The Power Cable

If you are an organisation that is custodian of sensitive information or infrastructure, it would be foolhardy of you to place it directly on the public Internet. No matter how good your security might be, there is always the risk that a miscreant could circumvent it, and perform all sorts of mischief. The solution employed therefore is to physically isolate such sensitive equipment from the rest of the world, creating an air gap. Nothing can come in and nothing can go out, or so goes the theory.

Well, that’s the theory, anyway. [Davidl] sends us some work that punches a hole in some air-gapped networks, allowing low-speed data to escape the air gap even if it doesn’t allow the reverse.

So how is this seemingly impossible task performed? The answer comes through the mains electrical infrastructure, if the air gap is bridged by a mains cable then the load on that mains cable can be modulated by altering the work undertaken by a computer connected to it. This modulation can then be detected with a current transformer, or even by compromising a UPS or electricity meter outside the air gap.

Of course, the Hackaday readership are all upstanding and law-abiding citizens of good standing, to whom such matters are of purely academic interest. Notwithstanding that, the article goes into the subject in great detail, and makes for a fascinating read.

We’ve touched on this subject before with such various techniques as broadcast radio interference and the noise from a fan,  as well as with an in-depth feature.

Broadpwn – All Your Mobiles Are Belong To Us

Researchers from Exodus Intel recently published details on a flaw that exists on several Broadcom WiFi chipsets. It’s estimated to affect nearly 1 Billion devices, from Android to iPhone. Just to name a few in the top list:

  • Samsung Galaxy from S3 through S8, inclusive
  • All Samsung Notes3. Nexus 5, 6, 6X and 6P
  • All iPhones after iPhone 5

So how did this happen? And how does a bug affect so many different devices?

A smart phone nowadays is a very complicated mesh of interconnected chips. Besides the main processor, there are several other secondary processors handling specialized tasks which would otherwise clog up the main CPU. One of those is the WiFi chipset, which is responsible for WiFi radio communications — handling the PHY, MAC and MLME layers. When all the processing is complete, the radio chipset hands data packets over the kernel driver, which runs on the main CPU. This means that the radio chipset itself has to have some considerable data processing power to handle all this work. Alas, with great power comes great responsibility.

Continue reading “Broadpwn – All Your Mobiles Are Belong To Us”

Superconference Interview: Samy Kamkar

Samy Kamkar has an incredible arsenal of self-taught skills that have grown into a remarkable career as a security researcher. He dropped out of high school to found a company based on Open Source Software and became infamous for releasing the Samy worm on the MySpace platform. But in our minds Samy has far outpaced that notoriety with the hardware-based security exploits he’s uncovered over the last decade. And he’s got a great gift for explaining these hacks — from his credit card magstripe spoofing experiments to hacking keyless entry systems and garage door opener remotes — in great depth during his talk at the 2016 Hackaday Superconference.

We pulled Samy aside after his talk to discuss how the security scene has grown up over the years and asked him to share his advice for people just coming up now. We’re happy to publish it for the first time today, it can be seen below.

Now it’s your turn. The Call for Proposals is now open for the 2017 Hackaday Superconference. You don’t need to be Samy Kamkar to qualify for a talk. You just need an interesting story of hardware engineering, creativity in technical design, an adventure with product design, or a sordid tale of your prototyping experiences. We hope everyone with a story will submit their proposal, but for those who don’t tickets are now available. The Hackaday Superconference will take place in Pasadena, California on November 11th and 12th.