Brute Force Used To Crack A Key Logger’s Security Code

October 23, 2012 by Mike Szczys 29 Comments

The USB device seen plugged in on the right of this image was found in between the keyboard and USB port of the company computer belonging to a Senior Executive. [Brad Antoniewicz] was hired by the company to figure out what it is and what kind of damage it may have done. He ended up brute forcing an unlock code to access the device, but not before taking some careful steps along the way.

From the design and placement the hardware was most likely a key logger and after some searching around the Internet [Brad] and his colleagues ordered what they thought was the same model of device. They wanted one to test with before taking on the actual target. The logger doesn’t enumerate when plugged in. Instead it acts as a pass-through, keeping track of the keystrokes but also listening for a three-key unlock code. [Brad] wrote a program for the Teensy microcontroller which would brute force all of the combinations. It’s a good thing he did, because one of the combinations is a device erase code hardwired by the manufacturer. After altering the program to avoid that wipe code he successfully unlocked the malicious device. An explanation of the process is found in the video after the break.

Continue reading “Brute Force Used To Crack A Key Logger’s Security Code” →

Exploiting DFU Mode To Snag A Copy Of Firmware Upgrades

October 9, 2012 by Mike Szczys 11 Comments

[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image directly to a terminal window. This way you can get down to the nitty-gritty of decompiling and hex editing as quickly as possible.

For this hack he used his Facedancer board. We first saw the hardware used to emulate a USB device, allowing the user to send USB commands via software. Now it’s being used to emulate your victim hardware’s DFU mode. This is done by supplying the vendorID and productID of the victim, then pushing the firmware update as supplied by the manufacturer. In most cases this shouldn’t even require you to have the victim hardware on hand.

Scary Putin Guards Your Stash

October 8, 2012 by Mike Szczys 26 Comments

If anyone tries to take anything from this coin bank they’re going to have to brave the creepy looks that [Vladimir Putin] gives them. That’s because [Overflo] rigged up the wall hanging to react when you approach it. It’s all in the eyes, which open and turn red based on your proximity to the picture frame.

The frame itself is the ugliest thing [Overflo] could find at Ikea. He spray painted it gold and added an image of [Putin] with a zany background. At rest [Vlad] has his eyes closed. But the lids are connected to a servo motor to pull against the spring that keeps them shut. An infrared proximity sensor is used to trigger the eyelids when you get relatively close, but if you reach out your hand it will even light up the red LEDs hidden in the pupils of the eyes. See a demonstration of the setup in the video after the break.

Continue reading “Scary Putin Guards Your Stash” →

Malicious Raspberry Pi Power Strip Looks A Bit Scary

October 4, 2012 by Mike Szczys 28 Comments

What you see here is a Raspberry Pi shoehorned into a power strip. The idea is to leverage the power and low-cost of this board into a stealthy network observation device. It packs a similar punch as the Power Pwn but should cost at least $1100 less!

The fact that when you plug your Ethernet into this ‘surge protector’ it starts sniffing your traffic doesn’t really scare us. It’s the mains wiring that traverses the RPi itself that’s a bit unnerving. Call us overly-protective, but we like to see some shielding between our high-voltage and low-voltage components. But that aside, the rest of the hack is pretty solid. That item wrapped in electrical tape is a power converter for the board itself. It’s not shown here, but the NIC is patched into the surge protector’s RJ-45 connector. The one thing that might be nice to include is a WiFi nub so that you can access the strip wirelessly. This would open the door for other snooping items, like a small microphone.

Disassembling And Reprogramming Webkeys

October 2, 2012 by Mike Szczys 13 Comments

Webkeys are small, inexpensive USB devices which launch a web browser when plugged into a computer. They’re given out as a promotional item, but they can be fun to hack as well. [Brad Antoniewicz] recently got his hands on one and decided to crack it open to see what he could accomplish.

The majority of the device was packaging but it didn’t take him long to get down to the guts seen here. There are two units shown in the image above so that we can get a look at both sides of the circuit board. As you can see, there’s a chip-on-board processor (that black blob) that handles the USB connectivity. But the data which is pushed to a computer is stored in that EEPROM chip at the top. It’s got legs which are just begging to be probed. [Brad] wasn’t able to find the exact datasheet but he got some clues as to the pinout. Using his Bus Pirate he was able to establish communications and sniff the i2c traffic. With that success he went on to overwrite that data. You can see a quick demonstration of it after the break.

[Brad] hopes to do a bit more with the hardware. He thinks those four pads can be used to reprogram the MCU. We’ll keep our eyes out for updates as he moves along on that mission.

Continue reading “Disassembling And Reprogramming Webkeys” →

Dry Erase Marker Opens All Hotel Room Doors

October 2, 2012 by Mike Szczys 50 Comments

If you’re carrying around an exposed circuit board and a bunch of wires people are going to notice you. But a dry erase marker won’t turn any heads. And this one holds its own little secret. It acts as a master key for hotel room door locks.

This is really more of a repackaging hack. The exploit is already quite well-known. The Onity brand of key card locks most commonly used in hotels have a power jack on the bottom that doubles as a 1-wire communications port. The first published proof of concept used an Arduino board and a simple adapter to unlock any door in under one second. Now that hardware has been reduced in size so that it fits in the hollow shell of a dry erase marker. Even better, the felt tip has been replaced with the appropriately sized barrel jack. Check out the ultra-fast and inconspicuous use of it after the break. We think using this is no more obvious than actually having the key card.

Continue reading “Dry Erase Marker Opens All Hotel Room Doors” →

Cryptography – Learn What It’s All About

September 25, 2012 by Mike Szczys 8 Comments

The concept of cryptography touches our lives many times per day, and that’s probably a conservative estimate. We have a pretty good idea of how it works, having dealt with public-key cryptography for things like remote git repositories or ssh tunneling without a password. But we still enjoyed reading [Tiberiu Barbu’s] primer on the subject which he calls From 0 to Cryptography.

He begins the discussion with a definition of terms but quickly moves to the topic of key distribution. If you’re using a key to decipher data, how can you make sure that key only makes it to the person whom you want reading the data? One way is to use a Diffie-Hellman key exchange. The diagram above illustrates the trade, which uses an agreed upon value (color in this example) as a common starting point, then goes from there. After working our way through the key exchange scenario [Tiberiu] then runs the gammut of other options, include Public-Key, RSA, Hash, Digital Certificate, and a few others. It’s not a long post considering how many topics it covers. If you don’t have time today, make sure to save it for the weekend.

[via Reddit]