Malware In A Mouse

March 30, 2014 by Brian Benchoff 36 Comments

Keyloggers, in both hardware and software forms, have been around for a long, long time. More devious keyloggers are smart enough to ‘type’ commands into a computer and install Trojans, back doors, and other really nasty stuff. What about mice, though? Surely there’s no way the humble USB mouse could become an avenue of attack for some crazy security shenanigans, right?

As it turns out, yes, breaking into a computer with nothing but a USB mouse is possible. The folks over at CT Magazine, the preeminent German computer rag, have made the Trojan mouse (German, terrible Google translation)

The only input a mouse receives are button presses, scroll wheel ticks, and the view from a tiny, crappy camera embedded in the base. The build reads this camera with an Arduino, and when a certain pattern of gray and grayer pixels appear, it triggers a command to download a file from the Internet. From there, and from a security standpoint, Bob’s your uncle.

Looking through the camera inside a mouse is nothing new; it’s been done over the Internet and turned into the worst scanner ever made. Still, being able to process that image data and do something with it is very cool. Just don’t accept mouse pads from strangers.

Danke [Ianmcmill] for the tip.

Automated Phone Cracker/App Tester Steps It Up A Notch

March 8, 2014 by James Hobson 20 Comments

delta bot cracks your passwords

Delta robots like this automated phone tester are awesome: high speed, accuracy, and mesmerizing to watch. [Justin Engler], a security researcher from ISEC Partners (also speaks at DEFCON on occasion) needed a robot to help with repetitive testing. He contacted the folks over at Marginally Clever to see if they could help him out, and they came up with this slick delta robot.

Normally they build these robots out of plywood, but [Justin] requested a bit more of a modern look, and although it looks blue, it’s actually clear acrylic: they haven’t removed the protective film yet. The robot is quite functional, but [Justin] plans on upgrading it in the future to increase the top speed. It currently has a built-in camera, using OpenCV to watch the log-in screen as it tries every combination as quickly as possible.

Stick around to see it in action!

Continue reading “Automated Phone Cracker/App Tester Steps It Up A Notch” →

Hacking Dell Laptop Charger Identification

March 3, 2014 by Eric Evenchick 99 Comments

If you’ve ever had a laptop charger die, you know that they can be expensive to replace. Many laptops require you to use a ‘genuine’ charger, and refuse to boot when a knock off model is used. Genuine chargers communicate with the laptop and give information such as the power, current, and voltage ratings of the device. While this is a good safety measure, ensuring that a compatible charger is used, it also allows the manufacturers to increase the price of their chargers.

[Xuan] built a device that spoofs this identification information for Dell chargers. In the four-part series (1, 2, 3, 4), the details of reverse engineering the communications and building the spoofer are covered.

Dell uses the 1-Wire protocol to communicate with the charger, and [Xuan] sniffed the communication using a MSP430. After reading the data and verifying the CRC, it could be examined to find the fields that specify power, voltage, and current.

Next, a custom PCB was made with two Dell DC jacks and an MSP430. This passes power through the board, but uses the MSP430 to send fake data to the computer. The demo shows off a 90 W adapter pretending to run at 65 W. With this working, you could power the laptop from any supply that can meet the requirements for current and voltage.

TARDIS Alarm Doesn’t Go VWORRRRRP VWRORRRP VWORRRP

February 11, 2014 by James Hobson 11 Comments

tardis alarm

Motion sensors are pretty useful — but they’re just so darn ugly! Well — if you’re a Whovian — maybe this hack is for you. A 3D printed TARDIS Motion Sensor Alarm!

[Malcolm] has a home security system that uses a series of motion sensors to detect movement in the house. When movement is detected an indicator LED turns on, and a wireless signal is sent to the main control system. So after discovering a nice 3D model of the TARDIS (Time and Relative Dimension in Space) on Thingiverse, he decided to see if he could hack one of his motion sensors to fit inside of it instead.

As it turns out, it was as simple as removing the sensor’s external shell, 3D printing a few support pieces inside of the TARDIS, and soldering on a bright blue LED to replace the dinky indicator light. Simple, but effective!

Don’t forget to check out the following video. Allons-y!

Continue reading “TARDIS Alarm Doesn’t Go VWORRRRRP VWRORRRP VWORRRP” →

Reverse Engineering A Bank’s Security Token

February 7, 2014 by Brian Benchoff 20 Comments

app

[Thiago]’s bank uses a few methods besides passwords and PINs to verify accounts online and at ATMs. One of these is a ‘security card’ with 70 single use codes, while another is an Android app that generates a security token. [Thiago] changes phones and ROMs often enough that activating this app became a chore. This left only one thing to do: reverse engineer his bank’s security token and build a hardware device to replicate the app’s functionality.

After downloading the bank’s app off his phone and turning the .APK into a .JAR, [Thiago] needed to generate an authentication code for himself. He found a method that generates a timestamp which is the number of 36-second intervals since April 1st, 2007. The 36-second interval is how long each token lasts, and the 2007 date means this part of the code was probably developed in late 2007 or 2008. Reverse engineering this code allowed [Thiago] to glean the token generation process: it required a key, and the current timestamp.

[Thiago] found another class that reads his phone’s android_id, and derives the key from that. With the key and timestamp in hand, he figured out the generateToken method and found it was remarkably similar to Google Authenticator’s implementation; the only difference was the timestamp epoch and the period each token lasts.

With the generation of the security token complete, [Thiago] set out to put this code into a hardware device. He used a Stellaris Launchpad with the Criptosuite and RTClib libraries. The hardware doesn’t include a real-time clock, meaning the date and time needs to be reset at each startup. Still, with a few additions, [Thiago] can have a portable device that generates security tokens for his bank account. Great work, and great example of how seriously his bank takes account security.

Microcorruption Embedded CTF

January 18, 2014 by Eric Evenchick 14 Comments

The folks at Matasano Security and Square have teamed up to build an online capture the flag (CTF) competition. The Microcorruption CTF focuses on embedded security and challenges players to reverse engineer a fictional “Lockitall LockIT Pro” lock system.

Each level places you in a debugging environment with a disassembly listing, live memory view, register view, and debugging console. You can set breakpoints, step through code, and modify registers like in a real debugging environment. Your goal is to figure out how to bypass the lock to collect bearer bonds.

While the device and motive may be fictional, the assembly is actual MSP430 code. The debugger is similar to GDB connected to a remote target using OpenOCD. There’s even a manual (PDF) to help you get up to speed with writing MSP430 code for the device.

This CTF looks like a great introduction to embedded security, and doesn’t require buying real hardware. It even includes a full tutorial to get you started.

Clever Reed Switch Catches Thief

January 8, 2014 by James Hobson 58 Comments

When [Abhimanyu Kumar] noticed money going missing from his small bookshop, he decided to set up a little trap to catch the thief.

The problem was that the bookshop’s money was stored inside a cupboard in their house (back end of the shop), which meant that the culprit was likely one of their own employees. They already have a CCTV system installed in the actual store, and although he could simply add another camera in the house, [Abhimanyu] didn’t really want to do that.

He instead devised a simple security trap: dubbed the Jugaad Security System. In Hindi, Jugaad quite literally means “hack”. He added a small magnetic reed switch to the cupboard where the money is stored—well, was stored—which is then linked directly to an intervalometer. This then connects to an inconspicuous DSLR sitting on one of the work benches. He aimed the camera at the cupboard and, in case the lights are out when the system is tripped, set it to an extremely high ISO.

Continue reading “Clever Reed Switch Catches Thief” →