Reverse Engineering The D-Link WPS Pin Algorithm

October 31, 2014 by Brian Benchoff 36 Comments

A router with WPS requires a PIN to allow other devices to connect, and this PIN should be unique to every router and not derived from other easily accessible data found on the router. When [Craig] took a look at the firmware of a D-Link DIR-810L 802.11ac router, he found exactly the opposite; the WPS PIN was easily decipherable because it was generated entirely from the router’s MAC address and could be reverse engineered by sniffing WiFi.

When [Craig] was taking a look at the disassembled firmware from his router, he noticed a bit of code that accessed the NVRAM used for storing device-specific information like a serial number. This bit of code wasn’t retrieving a WPS pin, but the WAN MAC address instead. Instead of being unique to each device and opaque to every other bit of data on the router, the WPS pin was simply generated (with a bit of math) from the MAC address. This means anyone upstream of the router can easily derive the WPS pin of the router, and essentially gives everyone the keys to the castle of this router.

A few years ago, it was discovered the WPS pin was extremely insecure anyway, able to be brute-forced in a matter of minutes. There are patches router manufacturers could apply to detect these brute force attacks, closing that vulnerability. [Craig]’s code, though, demonstrates that a very large number of D-Link routers effectively broadcast their WPS PIN to the world. To make things even worse, the BSSID found in every wireless frame is also derived from the WAN MAC address. [Craig] has literally broken WPS on a huge number of D-Link routers, thanks to a single engineer that decided to generate the WPS PIN from the MAC address.

[Craig] has an incomplete list of routers that are confirmed affected on his site, along with a list of confirmed unaffected routers.

A Better Anonabox With The Beaglebone Black

October 31, 2014 by Brian Benchoff 29 Comments

A few weeks ago, Anonabox, the ill-conceived router with custom firmware that would protect you from ‘hackers’ and ‘legitimate governments’ drew the ire of tech media. It was discovered that this was simply an off-the-shelf router with an installation of OpenWrt, and the single common thread in the controversy was that, ‘anyone can build that. This guy isn’t doing anything new.’

Finally, someone who didn’t have the terrible idea of grabbing another off the shelf router and putting it up on Kickstarter is doing just that. [Adam] didn’t like the shortcomings of the Anonabox and looked at the best practices of staying anonymous online. He created a Tor dongle in response to this with a Beaglebone Black.

Instead of using wireless like the Anonabox and dozens of other projects, [Andy] is using the Beaglebone as a dongle/Ethernet adapter with all data passed to the computer through the USB port. No, it doesn’t protect your entire network; only a single device and only when it’s plugged in.

The installation process is as simple as installing all the relevent software, uninstalling all the cruft, and configuring a browser. [Adam] was able to get 7Mb/sec down and 250kb/sec up through his Tor-ified Ethernet adapter while only using 40% of the BBB’s CPU.

Using Excel To Watch Movies At Work

October 24, 2014 by Marsh 38 Comments

The Excel subreddit exploded earlier this week when redditor [AyrA_ch] shared his custom spreadsheet that allowed him to play video files on a locked-down work computer. How locked down? With no access to Windows Media Player and IE7 as the only browser (all plugins disabled, no HTML5), Excel became the unlikely hero to cure a 3-hour boredom stint.

Behind the cascade of rectangles and in the land of the Excel macro, [AyrA_ch] took advantage of the program’s VBA (Visual Basic for Applications) functions to circumvent the computer’s restrictions. Although VBA typically serves the more-complex-than-usual macro, it can also invoke some Windows API commands, one of which calls Windows Media Player. The Excel file includes a working playlist and some rudimentary controls: play, pause, stop, etc. as well as an inspired pie chart countdown timer.

As clever as this hack is, the best feature is much more subtle: tricking in-house big brother. [AyrA_ch]’s computer ran an application to monitor process usage, but any videos played through the spreadsheet were attributed to Excel, ensuring the process usage stayed on target. You can download it for yourself over on GitHub.

Mission Impossible Self Destructing Messages

This Message Will Self-Destruct In 5 Seconds

October 18, 2014 by James Hobson 22 Comments

Good morning, Mr. Hunt. Your mission, should you choose to accept it… blah blah blah… This post will self-destruct in five seconds.

This is [Diego Trujillo Pisanty’s] latest project dubbed “This Tape Will Self-Destruct“, and it’s a fully functional small scale printer, whose media catches on fire immediately after printing. Beyond the obvious Mission Impossible connection, you could also think of it as real-life snapchat — just throw a webcam on there and some faxing capabilities…

Apparently [Diego] was inspired to build this machine after the BBC reported that a Kremlin security agency was upgrading the office with typewriters in attempt to reduce privacy leaks from computer hardware, in fear of WikiLeaks and [Edward Snowden].

It is an art piece (the horror!) but is actually quite the piece of hardware. So unfortunately, like most art pieces, the artist doesn’t give much detail on how it works, because that would ruin the illusion of the project… or something. Still, it’s an amusing project. Video below.

Continue reading “This Message Will Self-Destruct In 5 Seconds” →

Hackaday 10th Anniversary: [1o57] And The Art Of Encryption

October 6, 2014 by Brian Benchoff 35 Comments

[Ryan] a.k.a. [1o57] comes from an age before anyone could ask a question, pull out their smartphone, and instantly receive an answer from the great Google mind. He thinks there’s something we have lost with our new portable cybernetic brains – the opportunity to ask a question, think about it, review what we already know, and reason out a solution. There’s a lot to be said about solving a problem all by yourself, and there’s nothing to compare to the ‘ah-ha’ moment that comes with it.

[1o57] started his Mystery Challenges at DEFCON purely by accident; he had won the TCP/IP embedded device competition one year, and the next year was looking to claim his title again. The head of the TCP/IP embedded competition had resigned from his role, and through a few emails, [1o57] took on the role himself. There was a miscommunication, though, and [1o57] was scheduled to run the TCP/IP drinking competition. This eventually morphed into a not-totally-official ‘Mystery Challenge’ that caught fire in email threads and IRC channels. Everyone wanted to beat the mystery challenge, and it was up to [1o57] to pull something out of his bag of tricks.

The first Mystery Challenge was a mechanical device with three locks ready to be picked (one was already unlocked), magnets to grab ferrous picks, and only slightly bomb-like in appearance. The next few years featured similar devices with more locks, better puzzles, and were heavy enough to make a few security officials believe [1o57] was going to blow up the Hoover dam.

With a few years of practice, [1o57] is turning crypto puzzles into an art. His DEFCON 22 badge had different lanyards that needed to be arranged to spell out a code. To solve the puzzle, you’ll need to talk to other people, a great way to meet one of [1o57]’s goals of getting all the natural introverts working together.

Oh. This talk has its own crypto challenge, something [1o57] just can’t get out of his blood:

So far nobody has solved the @hackaday 10 year anniversary in-talk-mini-crypto-puzzle-of-doom…("it's only a model")

— LosT/李智上 (@1o57) October 5, 2014

We talked for a little bit, and 0x06 0x0a1 MFY YWXDWE MEOYOIB ASAE WBXLU BC S BLOQ ZTAO KUBDR HG SK YTTZSLBIMHB

BadUSB Means We’re All Screwed

October 5, 2014 by Mike Szczys 138 Comments

Does anyone else get the feeling that the frequency of rather horrible vulnerabilities coming to light is accelerating? Off the top of our head, there’s Heartbleed, Shellshock, and now this one. The BadUSB exploit attack stems from the “invisible” microcontroller in most USB devices.

We first heard about it when we were attending DEFCON in August. The exploit had been announced the same week at Blackhat but there wasn’t much information out yet. Now the talk has been posted and there’s a well-explained overview article at Big Mess o’ Wires.

Here’s how this one goes: all USB devices rely on a microcontroller to handle the peripheral-side of USB communications. The computer doesn’t care which microcontroller, nor does it have a way of knowing even if it wanted to. The uC is “invisible” in this situation, it’s the interface and data flowing through it that the computer cares about. BadUSB is an attack that adds malicious functionality to this microcontroller. To the computer it’s a perfectly normal and functional USB device, while all the bad stuff is happening on the peripheral’s controller where the computer can’t see it.

How deeply do you think about plugging each and every USB device? Check out what happens at 19:20 into the video below. The USB device enumerates and very quickly sets up a spoofed Ethernet connection. You can still load a webpage via WiFi but the fake connection is forwarding packets to a second server.

Once discovered, you can wipe the computer and this will stop happening; until you plug the same device again and reinfect. Worse yet, because the controller is invisible to the computer there’s almost no way to scan for infected devices. If you are smart enough to suspect BadUSB, how long will it take you to figure out if its your mouse, your keyboard, a thumb drive, a webcam, your scanner… you get the point.

Continue reading “BadUSB Means We’re All Screwed” →

Very Dumb Security For A WiFi Thermostat

September 29, 2014 by Brian Benchoff 47 Comments

We have finally figured out what the Internet of Things actually is. It turns out, it’s just connecting a relay to the Internet. Not a bad idea if you’re building a smart, Internet-connected thermostat, but you have no idea how bad the security can be for some of these devices. The Heatmiser WiFi thermostat is probably the worst of the current round of smart home devices, allowing anyone with even a tiny amount of skill to control one of these thermostats over the Internet.

The Heatmiser is a fairly standard thermostat, able to connect to an 802.11b network and controllable through iOS, Android, and browser apps. Setting this up on your home network requires you to forward port 80 (for browser access) and port 8068 (for iOS/Android access). A username, password, and PIN is required to change the settings on the device, but the default credentials of user: admin, password: admin, and PIN: 1234 are allowed. If you’re on the same network as one of these devices, these credentials can be seen by looking at the source of the webpage hosted on the thermostat.

if you connect to this thermostat with a browser, you’re vulnerable to cross-site request forgery. If you use the Android or iOS apps to access the device with the custom protocol on port 8068, things are even worse: there is no rate limiting for the PIN, and with only four digits and no username required, it’s possible to unlock this thermostat by trying all 10,000 possible PINs in about an hour.

There are about a half-dozen more ways to bypass the security on the Heatmiser thermostat, but the most damning is the fact there is no way to update the firmware without renting a programmer from Heatmiser and taking the device apart. Combine this fact with the huge amount security holes, and you have tens of thousands of installed devices that will remain unpatched. Absolutely astonishing, but a great example of how not to build an Internet connected device.