Extracting Data With Keyboard Emulation

October 30, 2012 by Brian Benchoff 58 Comments

A common challenge for computer security specialists is getting data out of a very locked-down system. Of course all network traffic on these test machines is monitored, and burning a CD or writing to a USB Flash drive is out of the question. Where there’s a will there’s a way, so [András] figured out how to extract data from a computer by emulating a keyboard.

Emulating a USB HID device is nothing new; the newest Arduino can do it, as can any AVR with the help of V-USB. [András]’s build emulates a USB keyboard that can download data from a computer by listening to the NUM, CAPS and SCROLL lock LEDs.

Of course, [András] first needs an app to transmit data through these keyboard status LEDs. To do this, his build carries with it a Windows executable file on the AVR’s Flash memory. After plugging his device into the computer, it writes this program to disk and is then able to send data out through keyboard status LEDs.

It’s not very fast – just over one byte per second – but [András] did manage to extract data from a computer, circumventing just about every anti-leaking solution.

LV0 Encryption Key Cracks Current And Future PlayStation 3 Firmware

October 25, 2012 by Mike Szczys 33 Comments

It looks like the security of the PlayStation 3 has been cracked wide open. But then again we’ve thought the same thing in the past and Sony managed to patch those exploits. The latest in the cat and mouse game is the release of the LV0 encryption codes for the PS3 console. The guys who discovered the magic strings of characters supposedly intended to keep them a secret, but have gone public after there was a leak and some black-hats now intend to use them for profit.

The keys are the bottom layer of security when pushing firmware updates to the PS3. With keys in hand, current and future upgrades can be unencrypted, altered, and repackaged without the gaming rig putting up a fuss. Our only real beef with the tight security came when Sony removed the ability to install Linux on systems marketed with this option. The availability of these keys should let you install just about whatever you want on your hardware.

[Thanks Kris via Phys]

Rooting A NeoTV Set Top Box From The Couch

October 25, 2012 by Mike Szczys 19 Comments

The NeoTV is a set top box built by Netgear to compete with the likes of Roku. It streams video from the usual Internet sources like Netflix, Hulu Plus, and YouTube. [Craig] recently cracked his unit open, and in the process discovered that the NeoTV can be rooted using nothing but the remote control.

He starts with a hardware overview. The box houses a single-board ARM design with a 128MB of NAND and 256MB of RAM. The serial port is easy to find, but it does not provide a root shell (which often is one of the easiest ways to root a device). He next turns to poking around the unencrypted firmware update to see what he can learn. That’s how he discovered that the SSID value when connecting to WiFi is fed into a system() command. This glaring security hole lets you run just about anything you want on the device by issuing commands as fake SSID names. It’s just a matter of a little Linux know-how and [Craig] now has root access on his device.

Brute Force Used To Crack A Key Logger’s Security Code

October 23, 2012 by Mike Szczys 29 Comments

The USB device seen plugged in on the right of this image was found in between the keyboard and USB port of the company computer belonging to a Senior Executive. [Brad Antoniewicz] was hired by the company to figure out what it is and what kind of damage it may have done. He ended up brute forcing an unlock code to access the device, but not before taking some careful steps along the way.

From the design and placement the hardware was most likely a key logger and after some searching around the Internet [Brad] and his colleagues ordered what they thought was the same model of device. They wanted one to test with before taking on the actual target. The logger doesn’t enumerate when plugged in. Instead it acts as a pass-through, keeping track of the keystrokes but also listening for a three-key unlock code. [Brad] wrote a program for the Teensy microcontroller which would brute force all of the combinations. It’s a good thing he did, because one of the combinations is a device erase code hardwired by the manufacturer. After altering the program to avoid that wipe code he successfully unlocked the malicious device. An explanation of the process is found in the video after the break.

Continue reading “Brute Force Used To Crack A Key Logger’s Security Code” →

Exploiting DFU Mode To Snag A Copy Of Firmware Upgrades

October 9, 2012 by Mike Szczys 11 Comments

[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image directly to a terminal window. This way you can get down to the nitty-gritty of decompiling and hex editing as quickly as possible.

For this hack he used his Facedancer board. We first saw the hardware used to emulate a USB device, allowing the user to send USB commands via software. Now it’s being used to emulate your victim hardware’s DFU mode. This is done by supplying the vendorID and productID of the victim, then pushing the firmware update as supplied by the manufacturer. In most cases this shouldn’t even require you to have the victim hardware on hand.

Scary Putin Guards Your Stash

October 8, 2012 by Mike Szczys 26 Comments

If anyone tries to take anything from this coin bank they’re going to have to brave the creepy looks that [Vladimir Putin] gives them. That’s because [Overflo] rigged up the wall hanging to react when you approach it. It’s all in the eyes, which open and turn red based on your proximity to the picture frame.

The frame itself is the ugliest thing [Overflo] could find at Ikea. He spray painted it gold and added an image of [Putin] with a zany background. At rest [Vlad] has his eyes closed. But the lids are connected to a servo motor to pull against the spring that keeps them shut. An infrared proximity sensor is used to trigger the eyelids when you get relatively close, but if you reach out your hand it will even light up the red LEDs hidden in the pupils of the eyes. See a demonstration of the setup in the video after the break.

Continue reading “Scary Putin Guards Your Stash” →

Malicious Raspberry Pi Power Strip Looks A Bit Scary

October 4, 2012 by Mike Szczys 28 Comments

What you see here is a Raspberry Pi shoehorned into a power strip. The idea is to leverage the power and low-cost of this board into a stealthy network observation device. It packs a similar punch as the Power Pwn but should cost at least $1100 less!

The fact that when you plug your Ethernet into this ‘surge protector’ it starts sniffing your traffic doesn’t really scare us. It’s the mains wiring that traverses the RPi itself that’s a bit unnerving. Call us overly-protective, but we like to see some shielding between our high-voltage and low-voltage components. But that aside, the rest of the hack is pretty solid. That item wrapped in electrical tape is a power converter for the board itself. It’s not shown here, but the NIC is patched into the surge protector’s RJ-45 connector. The one thing that might be nice to include is a WiFi nub so that you can access the strip wirelessly. This would open the door for other snooping items, like a small microphone.