RFID Readers, Writers, And Spoofers

September 25, 2010 by Mike Szczys 12 Comments

[Carl] has done a lot of work developing a collection of RFID hardware. The two cards you see above are spoofers that can be programmed in the field using the keypad on the left, or the rather intimidating banks of DIP switches on the right. We also enjoyed his look at the Atmel T5557 and ATA5567 on-card chips used for the tags themselves. He shared the schematics for his designs but unfortunately he’s not distributing the firmware. None-the-less, if you’re interested in learning more about RFID this is a wonderful resource as it covers readers, writers, spoofer, and tags.

The HDCP Master Key

September 24, 2010 by Mike Szczys 23 Comments

Pastebin has the HDCP master key that we talked about in a post last week. This is the encryption protocol used for HDMI content protection on media such as Blu-Ray and High Definition cable television.

The master key array is a 40×40 set of 56-bit hex used to generate the key sets. You get one brief paragraph at the top of the document explaining what to do with this information. If you ask us we’re more interested in how this set was determined. So for some background information read the key selection vector (KSV) Wikipedia page. That points us to an interesting discussion proposing that if 40 unique device-specific KSVs can be captured, they could be used to reverse-engineer the master key. And finally, a bit of insight from a Reddit user (make your own decision on the dependability of this information) commenting on the value of having the master key.

In his comment, [iHelix150] covers the revocation system that HDCP uses to ban devices that are being used to circumvent copy protection. He says that having the master key makes it possible to push your own revocation lists onto devices. Each time a list is written to your device (TV, Blu-ray, etc.) the version number field for the list is updated. If you push an update with nothing on the revocation list, and set the version number to a binary value of all 1’s it will prevent any more rewrites of the list. This means that any previously banned hardware will be allowed back into the chain or trust.

So far this probably means nothing for you. But it’s fun to watch the cat-and-mouse involved in the DRM struggle, isn’t it?

Thieves, Armed With A Vacuum Cleaner, Still On The Run

September 24, 2010 by Caleb Kraft 32 Comments

Thieves in Paris have been stealing money with the clever use of a vacuum. Not just bits of change here and there, they’ve stolen over 500,000 euros. They noticed that Monoprix supermarkets use a pneumatic tube system to transport rolls of cash to and from the safe. Realizing this was the weakest point in the security, they simply drilled a big hole in the tube, hooked up a vacuum and sucked the cash out. Forget lock picking or safe cracking, this had to be ridiculously easy.

The thieves are still out there, sucking their way to riches. At this point, they’ve hit 15 locations. Their luck has to run out some time right?

[via Slashdot]

Intel: High-bandwidth Digital Content Protection Cracked

September 18, 2010 by Mike Szczys 54 Comments

Intel says that HDCP has been cracked, but they also say that it’s unlikely this information will be used to unlock the copying of anything. Their reasoning for the second statement is that for someone to make this work they would need to produce a computer chip, not something that is worth the effort.

We question that logic. Not so much for Blu-Ray, which is the commonly associated media format that uses HDCP, but for HD digital cable programming. There are folks out there who would like to have the option of recording their HD television shows without renting a DVR from the cable company. CableCard tuners have been mostly absent from the market, making this type of recording difficult or impossible. Now that there’s a proven way to get the encryption key for HDCP how hard would it really be to create a man-in-the-middle device that uses that key to authenticate, decrypt, and funnel the audio and video to another encoder card? We know next-to-nothing about the protocol but why couldn’t any powerful processor, like an ARM, or even an FPGA (both rather inexpensive and readily available) be programmed for this task?

Leave a comment to let us know what you think about HDCP, and what the availability of the master-key really means.

[Thanks Dave]

RFID Entry Uses Homemade Electronic Strike

September 9, 2010 by Mike Szczys 22 Comments

[Fileark] built an RFID entry system that uses a pretty ingenious alternative to an electronic strike plate. An electronic strike is a rather expensive hinged plate that mounts in the door frame and catches the door latch. But this system opens a set of double doors. The door without the handle is fixed in place and has a normal strike plate. But it also has a deadbolt mounted in line with that plate. When the deadbolt is extended it is flush with the strike plate, pushing the latch from the door knob back and freeing the door to swing open. This is a bit hard to put into words so watch the video after the break to clear things up.

The system uses a cheap RFID package that provides a single signal line. This line connects to an old VCR motor which turns the deadbolt. Timing is provided by a 555 chip, and the deadbolt movement is limited by a couple of switches mounted along with the motor.

Now that the unlocking mechanism has been built it would be simple to use other authentication methods for unlocking the door, like a wristwatch-based proximity system.

Continue reading “RFID Entry Uses Homemade Electronic Strike” →

Password Exploitation Classes Online

September 9, 2010 by Caleb Kraft 9 Comments

open sesame

Irongeek.com is hosting an online class on password exploitation. The event was a fundraiser called ShoeCon, but they are hosting the entire series for everyone to share. Not only are the videos there, but you can download the powerpoint slides as well. There is a massive amount of information here on various topics like Hashcat, OCLHashcat, Cain, SAMDump2, Nir’s Password Recovery Tools, Password Renew, Backtrack 4 R1, UBCD4Win. There’s so much info, they split it into 3 sections. The videos are fairly long, between 1 and 2.5 hours each. What might surprise people is the amount of time that google is actually one of the main tools.

These videos can be a fantastic resource for hobby hackers, IT admins, and security professionals.

Face-slapping Security Gaff In Stored-value Cards

September 7, 2010 by Mike Szczys 39 Comments

The laundry machines at [Hans Viksler’s] apartment were converted over from coin operation to stored value cards. We’ve all dealt with these cards before and [Hans] thought it would be fun to do a little sniffing around at how this particular company implements them. We’ve covered how to read these cards and there have been several stories regarding how to bypass the security that they use.

But [Hans] wasn’t interested in stealing value, just in seeing how things work. So he stuck the card in his reader and after looking around a bit he figured out that they use the Atmel AT88SC0404C chip. He downloaded the datasheet and started combing through the features and commands. The cards have a four-wrong-password lockout policy. He calculated that it would take an average of over two million cards to brute force the chip’s stored password. But further study showed that this is a moot point. He fed the default password from the datasheet to his card and it worked.

We know it takes quite a bit of knowledge for the average [Joe] to manipulate these cards at home, but changing the default password is literally the very least the company could have done to protect their system.