Hacking BodyBugg Fitness Sensors To Get Around Subscription Fee

November 28, 2012 by Mike Szczys 83 Comments

This arm cuff is a sensor package which logs data whenever you’re wearing it. It records accelerometer data, skin temperature, and galvanic skin response. That data can then be analyzed to arrive at figures like calories burned. But… The company behind the device seems to have included a way to keep the cash flowing. Once you buy it you can read the data off of the device using a Java program they supply. But you can’t erase the data from the device unless you subscribe to their online service. Once it fills up, it’s useless. [Doug] wasn’t happy with this gotcha, so he reverse engineered the technique used to clear the BodyBugg’s memory.

There had been a few previous attempts at reverse engineering the device but that groundwork didn’t really help [Doug] on his quest. He ended up disassembling the Java classes from the original program. This helped him figure out how to initialize communications. Once there he was happy to find that the device will tell you how to use it. If you issue an invalid command it will respond with a list of all valid commands. Everything you need to get up and running can be found in his github repo.

DIY TSA Backscatter Body Scanner

November 27, 2012 by Eric Evenchick 39 Comments

[Ben Krasnow] built his own version of the TSA’s body scanner. The device works by firing a beam of x-rays at at target. Some of the beam will go through the target, some will be absorbed by the target, and some will reflect back. These reflected x-rays are called ‘backscatter‘, and they are captured to create an image.

In [Ben]’s setup a rotating disk focuses x-rays into beams that travel in arcs across the X-axis. The disk is moved along the Y-axis to fill in the scan. On the disk assembly, there is a potentometer to measure the y-axis position of the beam, and an optical sensor to trigger an oscilloscope, aligning the left and right sides of the image. Using these two sensors, the scope can reconstruct an X-Y plot of the scan.

To detect the x-rays, a phosphorous screen turns the backscattered x-rays into visible light, and a photo-multiplier amplifies the light source. A simple amplifier circuit connects the photo-multiplier to a scope, controlling the brightness at each point.

The result is very similar to the TSA version, and [Ben] managed to learn a lot about the system from a patent. This isn’t the first body scanner we’ve seen though: [Jeri Ellsworth] built a microwave version a couple years ago.

The impressive build does a great job of teaching the fundamentals of backscatter imaging. [Ben] will be talking about the project at EHSM, which you should check out if you’re in Berlin from December 28th to the 30th. After the break, watch [Ben]’s machine scan a turkey in a Christmas sweater.

Continue reading “DIY TSA Backscatter Body Scanner” →

A Better Way To Hack IClass RFID Readers

November 20, 2012 by Mike Szczys 18 Comments

iClass is an RFID standard that is aimed at better security through encryption and authentication. While it is more secure than some other RFID implementations, it is still possible to hack the system. But initial iClass exploits were quite invasive. [Brad Antoniewicz] published a post which talks about early attacks on the system, and then demonstrates a better way to exploit iClass readers.

We remember seeing the talk on iClass from 27C3 about a year and a half ago. While the technique was interesting, it was incredibly invasive. An attacker needed multiple iClass readers at his disposal as the method involved overwriting part of the firmware in order to get a partial dump, then patching those image pieces back together. [Brad] makes the point that this is fine with an off-the-shelf system, but high-security installations will be using custom images. This means you would need to get multiple readers off the wall of the building you’re trying to sneak into.

But his method is different. He managed to get a dump of the EEPROM from a reader using an FTDI cable and external power source. If you wan to see how he’s circumventing the PIC read protection you’ll have to dig into the source code linked in his article.

Giving An Apartment Keyless Entry

November 12, 2012 by Brian Benchoff 16 Comments

The key for [rybitski]’s apartment is a copy of a copy of a copy, and the landlord lost the original key years ago. The lock itself still works, but opening it with [rybiski]’s key is a chore. He wanted to make it easier to get into his apartment, and with Arduinos and such he figured he could make a keyless entry device for his front door.

After figuring out how to open his deadbolt with an Arduino and a rather powerful servo, [rybiski] looked into wireless control options. He found a keyless entry remote, complete with receiver, that integrated perfectly to just about any microcontroller project.

After mounting the Arduino, receiver, and servo on a piece of plastic, he attached his contraption to the deadbolt. In the video after the break, you can see his key fob remote locking and unlocking the deadbolt, all without jamming an ill-fitting key into the lock.

Continue reading “Giving An Apartment Keyless Entry” →

Extracting Data With Keyboard Emulation

October 30, 2012 by Brian Benchoff 58 Comments

A common challenge for computer security specialists is getting data out of a very locked-down system. Of course all network traffic on these test machines is monitored, and burning a CD or writing to a USB Flash drive is out of the question. Where there’s a will there’s a way, so [András] figured out how to extract data from a computer by emulating a keyboard.

Emulating a USB HID device is nothing new; the newest Arduino can do it, as can any AVR with the help of V-USB. [András]’s build emulates a USB keyboard that can download data from a computer by listening to the NUM, CAPS and SCROLL lock LEDs.

Of course, [András] first needs an app to transmit data through these keyboard status LEDs. To do this, his build carries with it a Windows executable file on the AVR’s Flash memory. After plugging his device into the computer, it writes this program to disk and is then able to send data out through keyboard status LEDs.

It’s not very fast – just over one byte per second – but [András] did manage to extract data from a computer, circumventing just about every anti-leaking solution.

LV0 Encryption Key Cracks Current And Future PlayStation 3 Firmware

October 25, 2012 by Mike Szczys 33 Comments

It looks like the security of the PlayStation 3 has been cracked wide open. But then again we’ve thought the same thing in the past and Sony managed to patch those exploits. The latest in the cat and mouse game is the release of the LV0 encryption codes for the PS3 console. The guys who discovered the magic strings of characters supposedly intended to keep them a secret, but have gone public after there was a leak and some black-hats now intend to use them for profit.

The keys are the bottom layer of security when pushing firmware updates to the PS3. With keys in hand, current and future upgrades can be unencrypted, altered, and repackaged without the gaming rig putting up a fuss. Our only real beef with the tight security came when Sony removed the ability to install Linux on systems marketed with this option. The availability of these keys should let you install just about whatever you want on your hardware.

[Thanks Kris via Phys]

Rooting A NeoTV Set Top Box From The Couch

October 25, 2012 by Mike Szczys 19 Comments

The NeoTV is a set top box built by Netgear to compete with the likes of Roku. It streams video from the usual Internet sources like Netflix, Hulu Plus, and YouTube. [Craig] recently cracked his unit open, and in the process discovered that the NeoTV can be rooted using nothing but the remote control.

He starts with a hardware overview. The box houses a single-board ARM design with a 128MB of NAND and 256MB of RAM. The serial port is easy to find, but it does not provide a root shell (which often is one of the easiest ways to root a device). He next turns to poking around the unencrypted firmware update to see what he can learn. That’s how he discovered that the SSID value when connecting to WiFi is fed into a system() command. This glaring security hole lets you run just about anything you want on the device by issuing commands as fake SSID names. It’s just a matter of a little Linux know-how and [Craig] now has root access on his device.