How The Kindle Touch Jailbreak Was Discovered

December 14, 2011 by Mike Szczys 15 Comments

The Kindle Touch has been rooted! There’s a proof video embedded after the break, but the best part about this discovery is that [Yifan Lu] wrote in-depth about how he discovered and exploited a security hole in the device.

The process begins by getting a dump of the firmware. If you remove the case it’s not hard to find the serial port on the board, which he did. But by that time someone else had already dumped the image and uploaded it. We guess you could say that [Yifan] was shocked by what he found in the disassembly. This a ground-up rewrite compared to past Kindle devices and it seems there’s a lot to be hacked. The bootloader is not locked, but messing around with that is a good way to brick the device. The Javascript, which is the language used for the UI, is not obfuscated and Amazon included many hooks for later plugins. Long story short, hacks for previous Kindles won’t work here, but it should be easy to reverse engineer the software and write new ones.

Gaining access to the device is as easy as injecting some HTML code into the UI. It is then run by the device as root (no kidding!). [Yifan] grabbed an MP3 file, changed its tag information to the HTML attack code, then played the file on the device to exploit the flaw. How long before malicious data from illegally downloaded MP3 files ends up blanking the root file system on one of these?

Continue reading “How The Kindle Touch Jailbreak Was Discovered” →

HDCP Falls To FPGA-based Man-in-the-middle Attack

November 30, 2011 by Mike Nathan 49 Comments

fpga-hdcp-maninthemiddle-attack

It’s been a little while since we talked about HDCP around here, but recent developments in the area of digital content protection are proving very interesting.

You might remember that the Master Key for HDCP encryption was leaked last year, just a short while after Intel said that the protection had been cracked. While Intel admitted that HDCP had been broken, they shrugged off any suggestions that the information could be used to intercept HDCP data streams since they claimed a purpose-built processor would be required to do so. Citing that the process of creating such a component would be extremely cost-prohibitive, Intel hoped to quash interest in the subject, but things didn’t work out quite how they planned.

It seems that researchers in Germany have devised a way to build such a processor on an extremely reasonable budget. To achieve HDCP decryption on the fly, the researchers used a standard off the shelf Digilent Atlys Spartan-6 FPGA development board, which comes complete with HDMI input/output ports for easy access to the video stream in question. While not as cheap as this HDCP workaround we covered a few years ago, their solution should prove to be far more flexible than hard wiring an HDMI cable to your television’s mainboard.

The team claims that while their man-in-the-middle attack is effective and undetectable, it will be of little practical use to pirates. While we are aware that HDMI data streams generate a ton of data, this sort of talking in absolutes makes us laugh, as it often seems to backfire in the long run.

[via Tom’s Hardware]

Researchers Claim That HP Laser Printers Can Be Hijacked To Steal Data And Catch Fire

November 30, 2011 by Mike Nathan 36 Comments

hp-laserprinter-security-holes

The news was abuzz yesterday with coverage of a study released by Columbia University researchers warning consumers that HP laser printers are wide open to remote tampering and hacking. The researchers claim that the vast majority of printers from HP’s LaserJet line accept firmware updates without checking for any sort of digital authentication, allowing malicious users to abuse the machines remotely. The researchers go so far as to claim that modified firmware can be used to overheat the printer’s fuser, causing fires, to send sensitive documents to criminals, and even force the printers to become part of a botnet.

Officials at HP were quick to counter the claims, stating that all models built in 2009 and beyond require firmware to be digitally signed. Additionally, they say that all of the brand’s laser printers are armed with a thermal cutoff switch which would mitigate the fuser attack vector before any real fire risk would present itself. Despite HP’s statements, the researchers stand by their claims, asserting that vulnerable printers are still available for purchase at major office supply stores.

While most external attacks can easily be prevented with the use of a firewall, the fact that these printers accept unsigned firmware is undoubtedly an interesting one. We are curious to see if these revelations inspire anyone to create their own homebrew LaserJet firmware with advanced capabilities (and low toner warning overrides), or if this all simply fizzles out after a few weeks.

Full Featured Security Lock Demonstration

November 26, 2011 by Mike Szczys 14 Comments

[Arshad Pathan] let us know about his latest project, a modular code lock that can be adapted to many different situations.

The user interface is made up of a character LCD screen and a 3×4 keypad. For this example [Arshad] is using a stepper motor as the locking mechanism. When the board is first powered up it runs the stepper in one direction until receiving input from a limiting switch. In this way, the microcontroller calibrates itself to ensure the lock is in a known position. From there it waits for user input. An unlocked door can be locked at any time by pressing the * key. Unlocking requires entry of the correct password. And a password can be changed by entering 9999 (followed by the old password when prompted).

In the video after the break [Arshad] does a great job of demonstrating the various modes which he has programmed. This stands on its own, but we always love to have more details so we’ve asked if [Arshad] is willing to share a schematic and the source code. We’ll update this post if we hear back from him.

Update: [Arshad] sent in a couple of schematics which can be found after the break.

Continue reading “Full Featured Security Lock Demonstration” →

Name These Parts: Verifone Payment Module Tear Down

November 23, 2011 by Mike Szczys 39 Comments

[Jerzmacow] got his hands on this Verifone Vx570 handheld payment terminal at a flea market. It’s got a thermal printer, a magnetic card reader, and then there’s the big LCD screen and buttons. In other words, lots of parts for his hacking amusement. But first, he decided to take a look at the parts that went into the design. He carefully disassembled the device, documenting what he found along the way. He mentions that there’s a switch pressing against the underside of the LCD which disables the hardware when disassembled. So it sounds like he won’t be able to get it to work again (there’s a Lithium battery inside which we’d guess powers some type of hardware kill switch circuit).

He posted an HD video of the tear down which we’ve embedded after the break. We find some of the design to be quite peculiar. Normally we have [Dave Jones] to walk us through design choices in his EEVblog hardware reviews. Since [Jerzmacow] wasn’t able to provide that level of insight, we’d love to hear what you think each piece of hardware is for. Leave your comments, along with time-stamps from the video. Specifically, what’s up with that strange board shown at 1:51? Continue reading “Name These Parts: Verifone Payment Module Tear Down” →

Jarvis Opens The Door At P-Space

November 10, 2011 by Mike Szczys 8 Comments

It seems like every Hackerspace should have some type of kludged together access system on their entry door. [Vasilis] wrote in to share the system called Jarvis that controls access to P-Space, a Hackerspace in Patras, Greece. It’s an RFID-based system that offers a few nice features.

They already have a server running the webpage, so basing their entry system off of a computer was an easy option. You can get in one of two ways; by presenting your valid RFID tag to a reader at the front door, or by ringing the bell and having a member inside press the Big Button of Doom (BBoD) which is a wireless controller.

The BBoD has an Xbee module inside which lets it send an unlock command back to the computer. The remote is powered by two AA batteries, and since it’s never on unless the button is pressed the team estimates these batteries should last around one year.

There’s even a feedback system. The computer posts the last few events to the webpage. So you can go online and see when the BBoD was used, or who’s tag has recently unlocked the entrance to tell if your friends are there.

RFID Reading And Spoofing

November 10, 2011 by Brian Benchoff 9 Comments

Locks are always temporary hindrances. After deciding to open the RFID-secured lock in his department, [Tixlegeek] built a device to read and spoof RFID tags (French, Google translate here).

The system is built around an ATMega32 microcontroller with a 16×2 LCD display. A commercial RFID reader module takes care of all the sniffing/cloning duties, and a small modulation circuit handles pumping those bits over to a lock. Right now, the spoofer can only handle reading and spoofing 125kHz RFID tags with no encryption or authorization. A tag that’s more complex than the duct tape RFID tag doesn’t work.

[Tixlegeek]’s little project does open up a few interesting avenues of exploring stuff that’s most certainly illegal. A smaller version of the project could be emplaced near a door or other RFID reader and left to crack a lock with a 32+62 bit password at 125 kilohertz. It wouldn’t be the fastest safecracker in the business, but it would work automatically as long as there is power.

If you’ve got any other ideas on what [Tixlegeek]’s RFID spoofer could do, leave a note in the comments.