Brute Force Finds The Lost Password For An Electronic Safe

January 21, 2013 by Mike Szczys 24 Comments

brute-force-an-electronic-safe

[Teatree] tells a sad, sad story about the lost password for his fire safe. The electronic keypad comes with a manufacturer’s code as well as a user selected combination. Somehow he managed to lose both of them, despite storing the user manual safely and sending the passwords to himself via email. He didn’t want to destroy the safe to get it open, and turning to the manufacturer for help seemed like a cop-out. But he did manage to recover the password by brute forcing the electronic keypad.

There is built-in brute force protection, but it has one major flaw. The system works by enforcing a two-minute lockout if a password is entered incorrectly three times in a row. But you can get around this by cutting the power. [Teatree] soldered a relay to each set of keypad contacts, and another to the power line and got to work writing some code so that his Arduino could start trying every possible combination. He even coded a system to send him email updates. Just six days of constant attacking netted him the proper password.

Breaking The Minteye Captcha Again

January 19, 2013 by Brian Benchoff 16 Comments

cap

A few days ago we saw a post from [samuirai] at the Shackspace hackerspace in Stuttgart on breaking the minteye captcha system. Like most other captcha cracks, [samuirai] used the voice accessibility option that provides an audio captcha for blind users. Using the accessibility option is a wonderful piece of work, but [Jack] came up with an even more elegant way to defeat the minteye captcha.

For those unfamiliar, the minteye captcha provides a picture tossed through a swirl filter with a slider underneath. Move the slider left or right to eliminate the swirl and you’ve passed the, “are you human” test. Instead of looking for straight lines, [Jack] came up with a solution that easily defeats the minteye captcha in 23 lines of Python: just minimize the length of all the edges found in the pic.

The idea behind the crack is simply the more you swirl an image, the longer the edges in the image become. Edge detection is a well-studied problem, so the only thing the minteye cracking script needed to do was to move the slider for the captcha from the left to the right and measure the lengths of all the edges.

[Jack] included the code for image processing part of his crack, fortunately leaving out the part where he returns an answer to the minteye captcha. For that, and a very elegant way to crack a captcha, we thank him.

Script Defeats Minteye CAPTCHA

January 16, 2013 by Mike Szczys 41 Comments

minteye-captcha-defeated

We hadn’t heard of minteye CAPTCHA before, but we’ve seen evidence of a script that can break the system. Minteye combines two things which you probably don’t love about the Internet: advertisements and CAPTCHA. The system uses a slider to distort an advertiser’s image. Once the slider is in just the right spot the image becomes clear and you can click on submit to see if you passed the challenge.

Challenges like this are impossible for the visually impaired, so there is usually an audio option as well. In this case the audio button will instruct you to move the slider to the right, left, or that it’s already in the correct place. [Samuirai] used the text2speech API available in Google Chrome to parse these commands. As you can see above, “movies later” is a misinterpretation of “move the slider”, but he was still able to get enough accuracy to solve the challenge. See the script in action in the video after the break.

Audio challenges have been exploited like this in the past. Check out this talk about beating reCAPTCHA through the audio option.

Continue reading “Script Defeats Minteye CAPTCHA” →

A Steampunk Combination Sketchbook

January 16, 2013 by Brian Benchoff 28 Comments

[Admiral Aaron Ravensdale], fine craftsman of steampunk wares, just finished up a new project. It’s a sketchbook protected by two layers of security, covered in gilded leather and drenched in the expositions of a [Jules Verne] novel.

The first layer of security for this sketchbook is a combination lock. On the cover are four switches, each with four positions. These are connected to a PICAXE microcontroller which goes to the next stage of the lock once the correct combination is entered.

The book’s security also includes a knock sensor. With a small piezo element hidden under the cover, [Ravensdale] deeds to tap the book with a specific pattern before it opens. The mechanical part is a small hobby servo also mounted to the cover that releases a pair of brass clasps once both locks are opened.

Like all of the [Admiral]’s builds, it’s a fine piece of craftsmanship, equally well suited to take on a holiday with the baron or to the opium dens of Ceylon.

You can check out [Admiral Ravensdale]’s demo of his sketchbook after the break.

Continue reading “A Steampunk Combination Sketchbook” →

Unsigned Code Running On Windows RT

January 9, 2013 by Mike Szczys 32 Comments

unsigned-code-on-windows-rt

A crack has been found in the armor of Windows RT. This subset of Windows 8 is designed to run on ARM processors. The payload listed in the image above allows you to run unsigned desktop applications on the OS.

We haven’t seen very much about the Windows RT package, so it’s nice to hear [Clrokr’s] thoughts on it. As far as he can tell the system has not been watered down from its Intel-aimed (x86) counterpart. Rather, RT seems to be a direct port with what is called “Code Integrity” mechanisms switched on. There is a kernel-level setting, barricaded behind UEFI’s Secure Boot, which determines the minimum software signing level allowed to run on the device. This is set to zero on a Windows 8 machine, but defaults to 8 on an ARM device. [Clrokr] uses a debugger to insert the code seen above into a DLL file in order to reset that minimum signing value to 0.

Do you have a project in mind for which this is useful? We’d love to hear about it in the comments!

[via Reddit]

Brute Forcing A GPS PIN

January 5, 2013 by Brian Benchoff 120 Comments

[JJ] picked up a Garmin Nuvi 780 GPS from an auction recently. One of the more frustrating features [JJ] ran into is it’s PIN code; this GPS can’t be unlocked unless a four-digit code is entered, or it’s taken to a ‘safe location’. Not wanting to let his auction windfall go to waste, [JJ] rigged up an automated brute force cracking robot to unlock this GPS.

The robot is built around an old HP scanner and a DVD drive sled to move the GPS in the X and Y axes. A clever little device made out of an eraser tip and a servo taps out every code from 0000 to 9999 and waits a bit to see if the device unlocks. It takes around 8 seconds for [JJ]’s robot to enter a single code, so entering all 10,000 PINs will take about a day and a half.

Fortunately, the people who enter these codes don’t care too much about the security of their GPS devices. The code used to unlock [JJ]’s GPS was 0248. It only took a couple of hours for the robot to enter the right code; we’d call that time well spent.

You can check out the brute force robot in action after the break.

Continue reading “Brute Forcing A GPS PIN” →

Building A Hardware Security Module

December 31, 2012 by Brian Benchoff 32 Comments

[Stefan] was nervous about putting the secret key for his Amazon Web Services account in his config file. In the security world, storing passwords in plain text is considered a very bad thing. but luckily there are ways around it. [Stefan]’s solution was to make a hardware security module out of the newest ARM-powered Arduino Due.

The build puts the secret key for [Stefan]’s AWS account right in the firmware of the Arduino Due (with the security bit on the Arduino flipped, of course). A Python web service then receives sign requests and talks to the Due over a serial port. The Due then signs the request and sends it off to another bit of Python code that handles the AWS API.

Hardware security modules are frequently used by three-letter government agencies to manage cryptography keys and ensure their data are encrypted properly. Instead of a hardware module costing tens of thousands of dollars, [Stefan]’s only cost the price of an Arduino Due; not too shabby for a hardware security module that can sign more than 2000 requests per second.