Microcorruption Embedded CTF

The folks at Matasano Security and Square have teamed up to build an online capture the flag (CTF) competition. The Microcorruption CTF focuses on embedded security and challenges players to reverse engineer a fictional “Lockitall LockIT Pro” lock system.

Each level places you in a debugging environment with a disassembly listing, live memory view, register view, and debugging console. You can set breakpoints, step through code, and modify registers like in a real debugging environment. Your goal is to figure out how to bypass the lock to collect bearer bonds.

While the device and motive may be fictional, the assembly is actual MSP430 code. The debugger is similar to GDB connected to a remote target using OpenOCD. There’s even a manual (PDF) to help you get up to speed with writing MSP430 code for the device.

This CTF looks like a great introduction to embedded security, and doesn’t require buying real hardware. It even includes a full tutorial to get you started.

Clever Reed Switch Catches Thief

When [Abhimanyu Kumar] noticed money going missing from his small bookshop, he decided to set up a little trap to catch the thief.

The problem was that the bookshop’s money was stored inside a cupboard in their house (back end of the shop), which meant that the culprit was likely one of their own employees. They already have a CCTV system installed in the actual store, and although he could simply add another camera in the house, [Abhimanyu] didn’t really want to do that.

He instead devised a simple security trap: dubbed the Jugaad Security System. In Hindi, Jugaad quite literally means “hack”. He added a small magnetic reed switch to the cupboard where the money is stored—well, was stored—which is then linked directly to an intervalometer. This then connects to an inconspicuous DSLR sitting on one of the work benches. He aimed the camera at the cupboard and, in case the lights are out when the system is tripped, set it to an extremely high ISO.

Continue reading “Clever Reed Switch Catches Thief”

Keeping The Family Off The Net With An Undocumented Backdoor

memetics

When [Eloi] was home for Christmas, he faced one of the most difficult problems man has ever faced: his entire family, equipped with smartphones and laptops, siphoning all the Internet through a 1Mb/s connection. For any technically minded person, the fix for this problem is to limit the bandwith for all those Facebook and Twitter-heads, while leaving [Eloi]’s battlestation unaffected. [Eloi] had originally set up the Linksys WAG200G router in the family home a few years ago but had since forgotten the overly complex admin password. No worries, then, because apparently the WAG200G is open as wide as a barn door with a completely undocumented backdoor.

Without the password to the admin panel of the router, [Eloi] needed a way in. After pointing nmap at the router, he found an undocumented service running on port 32764. Googling this observation resulted in a lot of speculation, so the only option was to download the router’s firmware, look for the service, and figure out a way in.

[Eloi] eventually got a shell on the router and wrote a very short Python script to automate the process for all WAG200G routers. As for where this backdoor came from, it appears a SerComm device on the router is responsible. This means a whole bunch of routers with this specific SerComm module also have this backdoor, and we’d assume anything with a service running on port 32764 is suspect.

If you’re looking for a fix for this backdoor, your best bet is probably installing OpenWRT or Tomato. The OpenWAG200 project, an open firmware specifically designed for [Eloi]’s router, still has this vulnerability, though.

Doggy DVR Alarm Sensor

2014-01-05-13.22.20

[Martin] lives in a small village about 25km from his job in a major city. Occasionally his home alarm system will trip and he will rush home to make sure everything is okay. So he decided to buy a DVR system instead… and he turned his dog’s collar into one of the main sensors.

As you may know, DVR’s also have sensor inputs in addition to loads of video cameras. These can be very handy to tell you other things that a small video clip will not, such as moisture, humidity, temperature etc. [Martin’s] DVR has 8 sensor inputs which he has configured to be the normally open type of sensors. By using a Sharp 817 optocoupler and a Funky v3 wireless module he made one of the sensor inputs wireless.

On the other end of the Funky wireless setup is a Kinder Surprise shell attached to his dog’s collar. In addition to the wireless module, it also contains a rudimentary 2-axis shock sensor consisting of a small spring that floats over a metal pin — when moved violently (when the dog is running about) it makes contact and [Martin’s] DVR alerts him by email and sends him pictures from the system.

He suspects he’ll be getting lots of pictures of the dog getting spooked by cats wandering by.

Key Cutting With A CNC Mill

key2_zpsc260d079

Keys cost like what, $2 to copy at a locksmith? But where’s the fun in that? Here’s an easy way to cut your own keys using a CNC mill!

[Bolsterman] now “works” for a real estate company that rents out various properties. Whenever someone moves out, the locks need to be changed ASAP. They use Schlage locks, which can be re-keyed to any pin combination. New keys are typically cut with a punch or a key cutting machine — he actually had one years ago, but got rid of it. Not wanting to buy a new one for his new job at the real estate company, he decided to see how hard it would be to turn his small desktop CNC into his own personal key cutting machine.

All it took for [Bolsterman] to turn his mill into a key cutting machine was a 3/8th 90° countersink bit with the end ground to a flat approximately 0.055″ across (0.035″ is the width of a factory key, but a bit of leeway makes it easier to make the key). Then you simply zero the mill off of the shoulder of the key, and using the handy Schlage pin chart (included in the original link), cut the grooves!

To automate all of this, [Torrie Fischer] created a python script for generating the GCode  for keys based on [Bolsterman’s] technique — it’s hosted over at Noisebridge’s Wiki — check it out!

But if all that seems like too much effort, you could just print a new key instead…

Gesture Based Security Lock

1

A team of students from Cornell University are looking into alternative ways of creating a security system that can be locked or unlocked by using physical gestures in an enclosed space.

It is the final year project for [Ankur], [Darshan] and [Saisrinivasan] in their MEng of Electrical and Computer Engineering. The system prototype is capable of recording a gesture and then comparing the gesture with future gestures to lock or unlock the system. Consider it like a secret handshake to get into the office!

To analyze the gesture they are using four SparkFun proximity sensors setup in a linear array to sense the distance a hand is moved. An ATMega1284P is used to convert the analog sensor signal to digital for further processing. The project is extremely well documented, as it appears to be the final report for the project.

A short video after the break shows off the prototype and gives a good explanation of how the system works.

Continue reading “Gesture Based Security Lock”

Chameleon Emulates Contactless Smart Cards

chameleon

Researchers at Ruhr University of Bochum in Germany have been busy working with RFID and related devices for quite some time now. They call the fruit of their labors Chameleon, a versatile Contactless Smart Card Emulator. Contactless Smart Cards are RFID style devices that also contain a smart card style memory. These cards are often used for payment, replacing mag strip style credit cards. Philips MIFARE Classic cards are a common example of contactless smart cards. The Chameleon is set up to emulate any number of cards using the common 13.56MHz frequency band. Adding a new card is as simple as loading up a new CODEC  and application to the firmware. Currently Chameleon can emulate MIFARE cards using the ISO14443A.

The Chameleon is completely open source, and can be built for around $25 USD. The heart of the system is an Atmel ATxmega192A3 microcontroller. The 192 is a great microcontroller for this task because it contains hardware accelerators for both DES and AES-128. An FTDI USB interface chip is used to provide an optional communication link between a host computer and the ATxmega. The link can be used for debugging, as well as manipulating data in real-time. A host PC is not necessary for use though – the Chameleon will operate just fine as a stand alone unit. We definitely like this project – though we’re going to be doubling down on the shielding in our RF blocking wallets.