Replacing The IPhone 6 Button Bricks The Phone

February 5, 2016 by Brian Benchoff 131 Comments

News comes from The Guardian that the iPhone 6 will break because of software updates due to non-authorized hardware replacements. Several thousand iPhone 6 users are claiming their phones have been bricked thanks to software updates if the home button – and the integrated TouchID fingerprint sensor – were replaced by non-Apple technicians.

For the last few iPhone generations, the TouchID fingerprint sensor has been integrated into the home button of every iPhone. This fingerprint sensor provides an additional layer of security for the iPhone, and like everything on smartphones, there is a thriving market of companies who will fix broken phones. If you walk into an Apple store, replacing the TouchID sensor will cost about $300. This part is available on Amazon for about $10, and anyone with a pentalobe screwdriver, spudger, and fine motor control can easily replace it. Doing so, however, will eventually brick the phone, as software updates render the device inoperable if the TouchID sensor is not authorized by Apple.

According to an Apple spokeswoman, the reason for the error 53 is because the fingerprint data is uniquely paired to the touch ID sensor found in the home button. If the TouchID sensor was substituted with a malicious TouchID sensor, complete and total access to the phone would be easy, providing a forehead-slapping security hole. Error 53 is just Apple’s way of detecting devices that were tampered with.

In fairness to Apple, not checking the authenticity of the touch ID would mean a huge security hole; if fingerprint data is the only thing keeping evil balaclava-wearing hackers out of your phone, simply replacing this sensor would grant them access. While this line of reasoning is valid, it’s also incredibly stupid: anyone can get around the TouchID fingerprint sensor with a laser printer and a bit of glue. If you ever get ahold of the German Defense Minister’s iPhone, the fingerprint sensor isn’t going to stop you.

This is a rare case where Apple are damned if they do, damned if they don’t. By not disabling the phone when the TouchID sensor is replaced, all iPhones are open to a gaping security hole that would send the Internet into a tizzy. By bricking each and every iPhone with a replacement TouchID sensor, Apple gets a customer support nightmare. That said, the $300 replacement cost for the TouchID sensor will get you a very nice Android phone that doesn’t have this problem.

This File Will Self-Destruct In 24 Hours

February 4, 2016 by Anool Mahidharia 75 Comments

[menkveldj] built a service that encrypts files which self destruct in 24 hours. The download link can only be used once. If the wrong people were to get the link and download the file, they’d need many years on a pretty powerful computer to crack the 256AES encryption.

The sender shares a file that is encrypted client side using a password generated Pbkdf2 key to encrypt the data before uploading it to the s3 storage service. The sender is then provided the one-time-use link to share with the recipient. After the first download, or 24 hours, the link and the encrypted file are both deleted. The receiver must enter the same password to decrypt and recover the file. No one but the sharer and receiver know what the actual file is.

It’s still work in progress, so chime in with your comments and suggestions. To dig into the code, check out his repository on Github, which also has instructions to build and run it if you’d like to do your own version.

Oh, and you’ll like this. If want to thumb your nose at the powers that be, the site has a redirect for the whimsical domain: NSAfu.com.

“Hello Barbie” Not An IoT Nightmare After All

January 29, 2016 by Elliot Williams 25 Comments

Security researchers can be a grim crowd. Everything, when looked at closely enough, is insecure at some level, and this leads to a lot of pessimism in the industry. So it’s a bit of a shock to see a security report that’s filled with neither doom nor gloom.

We’d previously covered Somerset Recon’s initial teardown of “Hello Barbie” and were waiting with bated breath for the firmware dump and some real reverse engineering. Well, it happened and basically everything looks alright (PDF report). The Somerset folks desoldered the chip, dumped the flash ROM, and when the IDA-dust settled, Mattel used firmware that’s similar to what everyone else uses to run Amazon cloud service agents, but aimed at the “toytalk.com” network instead. In short, it uses a tested and basically sound firmware.

The web services that the creepy talking doll connected to were another story, and were full of holes that were being actively patched throughout Somerset’s investigation, but we were only really interested in the firmware anyway, and that looked OK. Not everything is horror stories in IoT security. Some stories do have a happy ending. Barbie can sleep well tonight.

Fingerprint Scanner For Laptop And Raspberry Pi (or Giving The Finger To Your Computer)

January 29, 2016 by Rud Merriam 28 Comments

We’ve got two hacks in one from [Serge Rabyking] on fingerprint scanning. Just before leaving on a trip he bought a laptop on the cheap. He didn’t pay much attention to the features and was disappointed it didn’t have a fingerprint scanner. Working in Linux he uses sudo a lot and typing the password is a hassle. Previously he just swiped his finger on the scanner and execution continued.

He found a cheap replacement fingerprint scanner on hacker’s heaven, also known as eBay. It had four wires attached to a 16 pin connector. Investigation on the scanner end showed the outer pair were power and ground which made [Serge] suspect it was a USB device. Wiring up a USB connector and trying it the device was recognized but with a lot of errors. He swapped the signal lines and everything was perfect. He had sudo at his finger tip.

Next he wonder if it would work with a Raspberry Pi. He installed the necessary fingerprint scanning software, ran the enrollment for a finger, and it, not terribly surprisingly, worked.

On Linux the command fprintd-enroll reads and stores the fingerprint information. By default it scans and saves the right index finger but all ten fingers can be scanned and stored. Use libpam-fprintd to enable account login using a finger. Anyone know how you can trigger other events using a different finger? A quick search didn’t turn up any results.

In true hacker style, [Serge] created his own fingerprint reader from a replacement part. But you can jump start your finger usage by purchasing one of many inexpensive available readers.

TP-LINK’s WiFi Defaults To Worst Unique Passwords Ever

January 27, 2016 by Mike Szczys 82 Comments

This “security” is so outrageous we had to look for hidden cameras to make sure we’re not being pranked. We don’t want to ruin the face-palming realization for you, so before clicking past the break look closely at the image above and see if you can spot the exploit. It’s plain as day but might take a second to dawn on you.

The exploit was published on [Mark C.’s] Twitter feed after waiting a couple of weeks to hear back from TP-LINK about the discovery. They didn’t respond so he went public with the info.

Continue reading “TP-LINK’s WiFi Defaults To Worst Unique Passwords Ever” →

Steampunk USB Cryptex Keeps Your Data Secure

January 21, 2016 by James Hobson 10 Comments

Worried about people snooping around your USB drive? Digital encryption not good enough for you? What you need is a USB Cryptex to secure the drive from even being accessed!

Made completely out of copper and brass, [Scots72] really put a lot of effort into this beautiful piece of metalworking. The USB drive itself is encased in epoxy inside of a copper tube — the rest is built around it. Built almost entirely using hand tools, and we can only imagine how long the process took to complete. But patience is often rewarded with results like these!

Continue reading “Steampunk USB Cryptex Keeps Your Data Secure” →

Shmoocon 2016: GPUs And FPGAs To Better Detect Malware

January 17, 2016 by Mike Szczys 40 Comments

One of the big problems in detecting malware is that there are so many different forms of the same malicious code. This problem of polymorphism is what led Rick Wesson to develop icewater, a clustering technique that identifies malware.

Presented at Shmoocon 2016, the icewater project is a new way to process and filter the vast number of samples one finds on the Internet. Processing 300,000 new samples a day to determine if they have polymorphic malware in them is a daunting task. The approach used here is to create a fingerprint from each binary sample by using a space-filling curve. Polymorphism will change a lot of the bits in each sample, but as with human fingerprints, patterns are still present in this binary fingerprints that indicate the sample is a variation on a previously known object.
Continue reading “Shmoocon 2016: GPUs And FPGAs To Better Detect Malware” →