Security Hacks

1430 Articles

Arduino, Resistor, And Barrel Plug Lay Waste To Millions Of Hotel Locks

July 25, 2012 by 63 Comments

The security flaws on this common hotel keycard lock are nothing short of face-palmingly stupid. Look closely at the picture above. This is a hotel room door swinging open. The device he holds in his hand is an Arduino connected to the OUTSIDE portion of the door lock. It takes approximately 200 milliseconds from the time an attacker plugs the device in, until the door can be opened. Yes, in less than 1/4 of one second an Arduino can open any of the millions of these locks in service.

The exploit in Onity programmable keycard locks was revealed by [Cody Brocious] at the Blackhat conference. Apparently the DC barrel jack on the outside of the lock serves as a one-wire protocol interface. Once communications are established a 32-bit sitecode can be read from any of the locks and immediately used to open the door. There is no authentication or encryption used to obfuscate this kind of attack. To make matters worse, you can even read out master key and skeleton key codes. These codes facilitate ‘magic’ keys used to open a variety of different doors through the system.

We’re no strangers to easy hotel beak-ins. But how can a digital lock possibly be sold with this type of vulnerability present? Really!?

Here’s the white paper on the exploit as well as the slides from his talk (PDF).

[via Reddit]

Power Pwn’s Price Tag Is As Dangerous As It’s Black-hat Uses

July 22, 2012 by 45 Comments

This rather normal-looking power strip hides a secret inside. It’s called the Power Pwn, and it conceals hardware which facilitates remote penetration testing of a network. It really is the ultimate in drop hardware as you can quickly swap it with existing power strip. Who’s going to question it?

It’s got almost all the bells and whistles. There’s dual Ethernet ports, Bluetooth with 1000′ range, and WiFi with a high gain antenna. The SoC inside comes with Debian 6 and all the exploit tools you might want pre-loaded. There’s even a 3G adapter, but it’s external and not pictured above. The thing is, for a pre-order price-tag of  $1,295 we think that 3G should have been internalized and come with a lifetime unlimited data plan! That could be a bit overboard… our heads are still spinning from the sticker shock.

This isn’t the first time we’ve seen hardware from this company. Their Pwn Plug was used in this project. We just didn’t catch the $595 price tag for that device until now.

[via Reddit via Zdnet]

Time-based One-Time Passwords With An Arduino

July 11, 2012 by 13 Comments

Get your feet wet with Time-based One-Time Password (TOTP) security by building your own Arduino OATH system. OATH is an open standard authentication system that provides a platform to generate tokens, making your login more secure than a password alone would.

The TOTP approach is what is used with many companies that issue hardware-based dongles for logging in remotely. This security may have been compromised but it’s still better than passwords alone. Plus, if you’re building it around an Arduino we’d bet you’re just trying to learn and not actually responsible for protecting industrial or state secrets.

The hardware setup requires nothing more than the Arduino board with one button and a screen as a user interface. Since the board has a crystal oscillator it keeps fairly accurate time (as long as it remains powered). It will push out a new token every thirty seconds. The video after the break shows that the Arduino-calculated value does indeed match what the test box is displaying.

Continue reading “Time-based One-Time Passwords With An Arduino”

Software-Defined Radio Remotely Using A Linux Wall wart

July 9, 2012 by 18 Comments

Here’s a interesting idea; if the hardware seen above is dropped at a location, you can monitor radio signals remotely via the Internet. [MS3FGX] has been toying with the idea for a little while now. He wanted to use a DVB dongle with a portable Linux solution to offer Software-Defined Radio (SDR) capability without the need to actually be there.

The white box is a PWN Plug, a branded version of the SheevaPlug. The black dongle that plugs into it is a DVB tuner dongle. It’s meant to receive television signals over the radio, but recently the hardware has been used as a simple way to implement SDR. Combine the two (along with the antenna), stir in a network connection, and you’ve got a remote listening post. What can you listen to? Just about anything that’s within the dongle’s bandwidth range. [MS3FGX] mentions walkie-talkie traffic and pager signals, to name just two.

He even wrote an installation script that gets you up and running in no time.

Keyless BMW Cars Prove To Be Very Easy To Steal

July 7, 2012 by 84 Comments

A lot of higher end cars are now coming out with RF fobs that unlock and start the car. There is no longer a physical key that is inserted in the ignition. It turns out that for BMW this means stealing the cars is extremely easy for a sophisticated criminal. We always liked the idea of metal keys that ALSO had a chip in them. The two-tiered security system makes sense to us, and would have prevent (or at least slowed down) the recent  rash of BMW thefts that are going on in the UK.

So here’s the deal. A device like the one seen above can be attached to the On-Board Diagnostic (ODB) port of the vehicle. It can then be used to program a new keyfob. This of course is a necessary feature to replace a lost or broken device, but it seems the criminals have figured out how to do it themselves. Now the only hard part is getting inside the car without setting off the alarm. According to this article there are ultrasonic sensors inside which are designed to detect intrusion and immobilize the vehicle. But that’s somehow being circumvented.

You can check out a keyfob programming demo, as well as actual theft footage, after the break.

Continue reading “Keyless BMW Cars Prove To Be Very Easy To Steal”

Building A Moat For Your Hackerspace; Alligators, Piranhas Not Included

July 4, 2012 by 11 Comments

There has to be something tainting the water supply over at the Louisville Hackerspace LVL1. They’re building a freaking moat in front of their building, ostensibly to keep the black knight and zombies at bay.

After digging a 14-foot deep trench in front of their building – a hazard mitigated by a few steel plates and orange cones generously donated by the Louisville city workers – the members of LVL1 started moving pipes around in preparation for their moat.

Officially, the Louisville city council thinks this project will be a fountain and reflecting pool. City hall seems very friendly; the Louisville chamber of commerce asked about including LVL1 in next year’s Derby tour.

The barely-zombie proof moat build is the latest in a series of builds to improve the security of LVL1. Previous builds included a robotic overlord guarding the building and a robotic arm to cajole members into doing its bidding. Like we said, there’s probably something in the water supply.

Penetration Testing With The Raspberry Pi

June 28, 2012 by 28 Comments

PwnPi is a penetration testing distribution rolled up for the Raspberry Pi platform. This should come as no surprise to anyone. The RPi board has a beefy processor, it’s relatively low power, has the option of the on-board NIC or a USB WiFi dongle, and it already has Linux kernel and desktop sources available to start from.

Now we will admit we’re a bit disappointed from this tip. Don’t get us wrong, the distro looks like it’s well done, and we’re sure there are a lot of folks out there who will be happy to have these tools to help test their network security. But this is a software only hack and we were expecting to see a nice little covert package that could be plugged into an outlet (SheevaPlug style), or a battery-powered module that can be plugged into an Ethernet port and hidden away.

Now you know what we want, don’t forget to send in a link once you pull it off.

[Thanks Scott]