Encrypted Drive Attack Hints At Original Xbox Hacking

June 27, 2012 by Mike Szczys 10 Comments

[Thice] discovered a vulnerability in encrypted portable storage a few years ago. He’s just pointing about the exploit now. He mentions that he notified manufacturers long ago and we’d guess the wait to publish is to give them a chance to patch the exploit.

He calls it the Plug-Over Attack and for those who were involved with original Xbox hacking, this technique will sound very familiar. The Xbox used hard drive keys to lock the device when not in use. When you booted up the console it checked the hardware signature to make sure it was talking to the right motherboard. But if you booted up the device, then swapped the IDE cable over to a computer without cutting the power you could access the drive without having the password.

This attack is pretty much the same thing. Plug in a drive, unlock it on the victim system the normal way, then replug into the attacking system. In the image above you can see that a USB hub will work for this, but you can also use a hacked USB cable that patches a second jack into the power rail. For some reason the encryption system isn’t able to lock itself when the USB enumerates on the new system, only when power is cycled. Some of them have a timer which watches for drive idle but that still doesn’t protect from this exploit.

Stiltwalker Beat Audio ReCAPTCHA

June 15, 2012 by Mike Szczys 13 Comments

This talk from the 2012 LayerOne conference outlines how the team build Stiltwalker, a package that could beat audio reCAPTCHA. We’re all familiar with the obscured images of words that need to be typed in order to confirm that you’re human (in fact, there’s a cat and mouse game to crack that visual version). But you may not have noticed the option to have words read to you. That secondary option is where the toils of Stiltwalker were aimed, and at the time the team achieved 99% accurracy. We’d like to remind readers that audio is important as visual-only confirmations are a bane of visually impaired users.

This is all past-tense. In fact, about an hour before the talk (embedded after the break) Google upgraded the system, making it much more complex and breaking what these guys had accomplished. But it’s still really fun to hear about their exploit. There were only 58 words used in the system. The team found out that there’s a way to exploit the entry of those word, misspelling them just enough so that they would validate as any of up to three different words. Machine learning was used to improve the accuracy when parsing the audio, but it still required tens of thousands of human verifications before it was reliably running on its own.

Continue reading “Stiltwalker Beat Audio ReCAPTCHA” →

Keep An Eye On Your Palatial Estate With This Solar Powered WiFi Cam

June 13, 2012 by Mike Szczys 27 Comments

If you’re expecting the serfs to hop the fence with pitch forks and torches you may want to employ a surveillance system. WiFi cameras are a cheap way of doing this, but you’ll need power. [CheapGuitar] decided not to run extension cords, and instead added solar power to his wireless camera. The solar panels are easy to spot in this image, but you’ll have to look close to see the camera.

He already had everything on hand, and this included a cheap WiFi camera which runs on 5V. To weatherproof it he used a plastic sandwich meat container. This is actually one of our favorite project enclosures, we used it for our door-bell button garage door lock. [CheapGuitar] painted it black to help keep it hidden after cutting a hole in the lid for the camera lens. Under the solar panels you’ll find a 12V car battery which uses a USB car charger to regulate voltage for the camera. Each of the panels is a 5W trickle charger and they’re designed to top off deep cycle batteries. The entire thing is cleverly hidden behind his existing landscaping.

[via Reddit]

Brute Forcing The Password On A Terribly Insecure Hard Drive

June 13, 2012 by Brian Benchoff 13 Comments

While at work one day, [Marco] was approached by a colleague holding a portable USB hard drive. This hard drive – a Freecom ToughDrive – has a built-in security system requiring a password every time the drive is mounted. Somewhat predictably, the password on this hard drive had been lost, so [Marco] brute forced the password out of this drive.

The Freecom ToughDrive requires a password whenever the drive is plugged in, but only allows 5 attempts before it needs to be power cycled. Entering the passwords was easy to automate, but there was still the issue of unplugging the drive after five failed attempts. [Marco] called upon his friend [Alex] to build a small USB extension cable with a relay inserted into the 5 V line. An easy enough solution after which the only thing needed was the time to crack the password.

The rig successfully guessed the password after 500 attempts, or after cycling the power 100 times. This number is incredibly low for getting a password via brute force, but then again the owner of the hard drive was somewhat predictable as to what passwords they used.

Reading RFID Cards From Afar Easily

May 27, 2012 by Brian Benchoff 41 Comments

RFID hacking has been around for years, but so far all the builds to sniff data out of someone’s wallet have been too large, too small a range, or were much too complicated for a random Joe to build in his workshop. [Adam]’s RFID sniffer gets around all those problems, and provides yet another reason to destroy all the RFID chips in your credit cards.

The project was inspired by this build that took a much larger RFID reader and turned it into a sniffer capable of covertly reading debit cards and passports from the safety of a backpack or briefcase. [Aaron]’s build uses a smaller off-the-shelf RFID reader, but he’s still able to read RFID cards from about a foot away.

[Aaron]’s build is very simple consisting of only an Arduino and SD card reader. [Aaron] is able to capture all the data from an RFID card, write that data to the SD card, and emulate a card using his RFID cloner.

What’s really impressive about the build is that [Aaron] says he’s not a programmer or electrical engineer. His build log is full of self-denegration that shows both how humble [Aaron] is and how easy it is for anyone with the requisite skill set to clone the bank card sitting in your wallet. We don’t know about you, but you might want to line your wallet with aluminum foil from now on.

CAPTCHA Bot Beats New Are You A Human PlayThru Game

May 25, 2012 by Mike Szczys 27 Comments

What do you put on your pancakes? Butter and syrup but not a pair of shoes? This makes sense to us, and it’s the premise of the new CAPTCHA game PlayThru. The space that is normally filled by nearly illegible text is now taken up by a little graphic-based game where you drag the appropriate items to one part of the screen. In addition to being easier than deciphering letters, this new platform shouldn’t require localization. But alas, it seems the system is already broken. [Stephen] sent us a link to a bot that can pass the PlayThru CAPTCHA.

Take a look at the video after the break to see the four test-runs. It looks like the bot is just identifying the movable objects and trying them out. Sometimes this is quick, sometimes not. But it does eventually succeed. For the PlayThru developers this should be pretty easy to fix, just make an error limit for trying the wrong item. At any rate, we can’t think defeating the current system is nearly as hard as defeating reCaptcha was.

Update: [Tyler] over at Are You A Human wrote in to share their side of this story. Apparently we’re seeing the bot play the game, but not necessarily pass it. It isn’t until the game if finished and the playing information is sent to their servers that a decision is made on whether it is successful or not. This way they can change the authentication parameters from the server side at any time.

At the same time, [Stephen] updated his bot and made a video of it playing the game without any shoes on the pancakes.

Continue reading “CAPTCHA Bot Beats New Are You A Human PlayThru Game” →

Fairly Simple Hack Makes Samsung TVs Reboot Forever

May 3, 2012 by Caleb Kraft 64 Comments

[Luigi Auriemma] almost rendered his brother’s TV useless attempting to play a simple practical joke. In the process, he uncovered a bug that could potentially upset a lot of people. His idea was to connect a computer to the system via WiFi, masquerading as a remote control. [Luigi] found that by altering the packet being sent to the TV by adding a line feed and some other characters to the name, it would begin an endless reboot loop.

He also discovered that he could easily crash the devices by setting the MAC address string too long. We’re not sure if he’s modifying the remote, or the television on this one though.

These bugs affect the Samsung TVs and Blu Ray players that utilize the same chip. The crazy part is that despite his attempts, he has been unable to contact anyone at Samsung to let them know!

[via BoingBoing]