Gaining Access To The Oculus Developer Database

September 1, 2014 by Matt Terndrup 23 Comments

One of the hackers over at Bitquark popped a shell on on the Oculus Developer Portal giving him full reign over the special admin panel inside. If he felt so inclined, this allowed him edit users, modify projects, add news articles, edit the dashboard, upload SDK files, and variety of other goodies.

The process started by using a SQL injector called BSQLi to test out parameters, cookies, and headers. Injecting into the header revealed that the Oculus team members were inserting X-Forwarded-For headers directly into the database without proper escape formatting. This got him in the door, and with a little assistance from sqlmap, the database was enumerated, and a pattern was recognized. Oculus passwords that were stored in the DB were heavily hashed. However, the user session variables remained unprotected. A SQL query was quickly built, the latest admin session was promptly extracted, and then the information was plugged in granting access to the portal. A bit more snooping around uncovered that the AJAX eval() preview script wasn’t secured by a CSRF token which could easily be exploited by a malicious hacker.

The findings were then turned into Facebook who paid the guy $15,000 for the first vulnerability plus the privilege escalation attack. $5,000 was then awarded for each subsequent SQL injection as the admin account takeover vulnerability that was found, giving the guy a nice payout for a week’s worth of work.

Green Light Your Commute With America’s Unsecured Traffic Lights

August 31, 2014 by Edward Becker 85 Comments

Remember that episode of Leverage (season 5, episode 3), where Alec uses Marvin to wirelessly change all the street lights green so they can catch up to an SUV? And you scoffed and said “that’s so not real!”… well actually they got it right. A new study out of the University of Michigan (PDF warning), shows just how easy it is to make your morning commute green lights all the way.

The study points out that a large portion of traffic lights in the United States communicate with each other wirelessly over the 900Mhz and 5.8Ghz ISM band with absolutely no encryption. In order to connect to the 5.8Ghz traffic signals, you simply need the SSID (which is set to broadcast) and the proper protocol. In the study the researchers used a wireless card that is not available to the public, but they do point out that with a bit of social engineering you could probably get one. Another route is the HackRF SDR, which could be used to both sniff and transmit the required protocol. Once connected to the network you will need the default username and password, which can be found on the traffic light manufacturer’s website. To gain access to the 900Mhz networks you need all of the above and a 16-bit slave ID. This can be brute forced, and as the study shows, no ID was greater than 100. Now you have full access, not to just one traffic signal, but EVERY signal connected to the network.

Once on the network you have two options. The completely open debug port in the VxWorks OS which allows you to read-modify-write any memory register. Or by sending a(n) UDP packet where the last byte encodes the button pressed on the controller’s keypad. Using the remote keypad you can freeze the current intersection state, modify the signal timing, or change the state of any light. However the hardware Malfunction Management Unit (MMU) will still detect any illegal states (conflicting green or yellow lights), and take over with the familiar 4-way red flashing. Since a technician will have to come out and manually reset the traffic signal to recover from an illegal state, you could turn every intersection on the network into a 4-way stop.

So the next time you stop at a red light, and it seems to take forever to change, keep an eye out for the hacker who just green lit their commute.

Thanks for the tip [Matt]

Stupid Security In A Security System

August 28, 2014 by Brian Benchoff 66 Comments

alarm

[Yaehob]’s parents have a security system in their house, and when they wanted to make a few changes to their alarm rules – not arming the bathroom at night – an installer would come out, plug a box into the main panel, press a few buttons, and charge 150 €. Horrified at the aspect of spending that much money to flip a few bits, [yaehob] set out to get around the homeowner lockout on the alarm system, and found security where he wasn’t expecting.

Opening the main panel for the alarm system, [yaehob] was greeted with a screeching noise. This was the obvious in retrospect tamper-evident seal on the alarm box, easily silenced by entering a code on the keypad. The alarm, however, would not arm anymore, making the task of getting ‘installer-level’ access on the alarm system a top priority.

After finding a DE-9 serial port on the main board, [yaehob] went to the manufacturer’s website thinking he could download some software. The website does have the software available, but only for authorized distributors, installers, and resellers. You can register as one, though, and no, there is no verification the person filling out a web form is actually a distributor, installer, or reseller. dist

Looking at the installer and accompanying documentation, [yaehob] could see everything, but could not modify anything. To do that would require the installer password, which, according to the documentation was between four and six characters. The system also responded quickly, so brute force was obviously the answer here.

After writing up a quick script to go through all the possible passwords, [yaehob] started plugging numbers into the controller board. Coming back a bit later, he noticed something familiar about what was returned when the system finally let him in. A quick peek at where his brute force app confirmed his suspicions; the installer’s code was his postal code.

From the installer’s point of view, this somewhat makes sense. Any tech driving out to punch a few numbers into a computer and charge $200 will always know the postal code of where he’s driving to. From a security standpoint, holy crap this is bad.

Now that [yaehob]’s parents are out from under the thumb of the alarm installer, he’s also tacked on a little bit of security of his own; the installer’s code won’t work anymore. It’s now changed to the house number.

DEFCON: Blackphone

August 27, 2014 by Brian Benchoff 35 Comments

Despite being full of techies and people doing interesting things with portable devices, you don’t want to have an active radio on you within a quarter-mile of DEFCON. The apps on your phone leak personal data onto the Internet all the time, and the folks at DEFCON’s Wall Of Sheep were very successful in getting a few thousand usernames and passwords for email accounts.

Blackphone is designed to be the solution to this problem, so when we ran into a few members of the Blackphone crew at DEFCON, we were pretty interested to take a quick peek at their device.

The core functionality for the Blackphone comes from its operating system called PrivatOS. It’s a fork of Android 4.4.2 that is supposed to seal up the backdoors found in other mobile phones. There’s also a bundle of apps from Silent Circle that give the Blackphone the ability to make encrypted phone calls, texts (with file sharing), and encrypted and password protected contact lists.

The hardware for the Blackphone is pretty impressive; a quad-core Nvidia Tegra provides all the power you need for your apps, video, and playing 2048, a 2000mAh battery should provide enough juice to get you through a day or two (especially since you can turn off cores), and the usual front/rear cameras, GPS, 802.11bgn and GSM and HSPA+/WCDA radios means this phone will be useable on most networks.

Phone Gyroscope Signals Can Eavesdrop On Your Conversations

August 24, 2014 by Mathieu Stephan 9 Comments

A gyroscope is a device made for measuring orientation and can typically be found in modern smartphones or tablet PCs to enable rich user experience. A team from Stanford managed to recognize simple words from only analyzing gyroscope signals (PDF warning). The complex inner workings of MEMS based gyroscopes (which use the Coriolis effect) and Android software limitations only allowed the team to only sniff frequencies under 200Hz. This may therefore explain the average 12% word recognition rate that was achieved with custom recognition algorithms. It may however still be enough to make you reconsider installing an app that don’t necessarily need access to the on-board sensors to work. Interestingly, the paper also states that STMicroelectronics currently have a 80% market share for smartphone / Tablet PCs gyroscopes.

On the same topic, you may be interested to check out a gyroscope-based smartphone keylogging attack we featured a couple of years ago.

Hat Hash Hacking At DEFCON

August 21, 2014 by Mike Szczys 12 Comments

You probably remember that for DEFCON I built a hat that was turned into a game. In addition to scrolling messages on an LED marquee there was a WiFi router hidden inside the hat. Get on the AP, load any webpage, and you would be confronted with a scoreboard, as well as a list of usernames and their accompanying password hashes. Crack a hash and you can put yourself on the scoreboard as well as push custom messages to the hat itself.

Choosing the complexity of these password hashes was quite a challenge. How do you make them hackable without being so simple that they would be immediately cracked? I suppose I did okay with this because one hacker (who prefers not to be named) caught me literally on my way out of the conference for the last time. He had snagged the hashes earlier in the weekend and worked feverishly to crack the code. More details on the process are available after the jump.

Continue reading “Hat Hash Hacking At DEFCON” →

The ChipWhisperer At Defcon

August 20, 2014 by Brian Benchoff 24 Comments

We’ve seen [Colin]’s entry to The Hackaday Prize before. After seeing his lightning talk at Defcon, we had to get an interview with him going over the intricacies of this very impressive piece of hardware.

The ChipWhisperer is a security and research platform for embedded devices that exploits the fact that all security measures must run on real hardware. If you glitch a clock when a microcontroller is processing an instruction, there’s a good probability something will go wrong. If you’re very good at what you do, you can simply route around the code that makes up the important bits of a security system. Power analysis is another trick up the ChipWhisperer’s sleeve, analyzing the power consumption of a microcontroller when it’s running a bit of code to glean a little information on the keys required to access the system. It’s black magic and dark arts, but it does work, and it’s a real threat to embedded security that hasn’t had an open source toolset before now.

Before our interview, [Colin] did a few short and sweet demos of the ChipWhisperer. They were extraordinarily simple demos; glitching the clock when a microcontroller was iterating through nested loops resulted in what can only be described as ‘counter weirdness’. More advanced applications of the ChipWhisperer can supposedly break perfectly implemented security, something we’re sure [Colin] is saving for a followup video.

You can check out [Colin]’s 2-minute video for his Hackaday Prize entry below.

Continue reading “The ChipWhisperer At Defcon” →